A new border filtering scheme against DDoS attacks

There are two types of packet marking techniques in DDoS attacks defense. IP traceback reconstructs attack paths and entrance nodes, while path identification enables the victim identify and filter effectively malicious packets. In this paper, we propose an idea of organic combination of both that the upstream nodes identify and filter malicious packets. We specifically design a new packet marking and filtering scheme. Along the path, the nodes before the border routers mark packets with path identification scheme while the border nodes mark packets with IP traceback scheme. The victim can extract and reconstruct the relevant information from malicious arrived packets, and then notify the attack entrance nodes, i.e., the border routers, to filter malicious packets based on marking information. Large-scale simulation results based on actual Internet topology show that our defense scheme is better, and reduce effectively the impact of the attack on the victim and the upstream link inside autonomous system.

[1]  Guang Jin,et al.  Deterministic packet marking based on redundant decomposition for IP traceback , 2006, IEEE Communications Letters.

[2]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[3]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[4]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[5]  Shiuh-Pyng Shieh,et al.  Defending against spoofed DDoS attacks with path fingerprint , 2005, Comput. Secur..

[6]  Francis L. Merat,et al.  Defeating distributed denial-of-service attack with deterministic bit marking , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[7]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[8]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[9]  Yuan Li,et al.  A Pi2HC mechanism against DDoS attacks , 2008, 2008 Third International Conference on Communications and Networking in China.