A Defending Mechanism against DDoS Based on Registration and Authentication

Because DDoS attacks destination servers from computers distributed all over network, it is very hard to locate attacking sources and resist DDoS. In this paper, a new defending mechanism based on registration and authentication against DDoS is proposed. By bidirectional warning messages, it can help locate attacking sources quickly and resist DDoS more exactly. According to the mechanism, all servers and routers applying for protecting from DDoS are required to register firstly, so that they can translate warning messages encrypted in public-key algorithm to prevent from spoofing. A flexible defending can be achieved by distributing filtering features and policies dynamically.

[1]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[2]  Steven J. Templeton,et al.  Detecting spoofed packets , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[3]  Micah Adler,et al.  An Analysis of the Degradation of Anonymous Protocols , 2002, NDSS.

[4]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[5]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[6]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.