Detecting and Preventing IP-spoofed Distributed DoS Attacks

In this paper, we explore mechanisms for defending against Distributed Denial of Service (DDoS) attacks, have become one of the major threats to the operation of the Internet today. We propose a novel scheme for detecting and preventing the most harmful and di‐cult to detect DDoS Attacks|those that use IP address spoofing to disguise the attack ∞ow. Our scheme is based on a flrewall that can distinguish the attack packets (containing spoofed source addresses) from the packets sent by legitimate users, and thus fllters out most of the attack packets before they reach the victim. Unlike the other packet-marking based solutions, our scheme has a very low deployment cost; We estimate that an implementation of this scheme would require the cooperation of only about 20% of the Internet routers in the marking process. The scheme allows the flrewall system to conflgure itself based on the normal tra‐c of a Web server, so that the occurrence of an attack can be quickly and precisely detected. We have extensively tested our scheme by simulating DDoS attacks with up to several thousand attackers and the experimental results show that more than 90% of attack packets can be efiectively flltered-out without much afiecting the ∞ow of legitimate packets to the victim Web-server.

[1]  B. Cheswick,et al.  The Internet mapping project , 1998 .

[2]  T. Znati,et al.  Proactive server roaming for mitigating denial-of-service attacks , 2003, International Conference on Information Technology: Research and Education, 2003. Proceedings. ITRE2003..

[3]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[4]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[5]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[6]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[7]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[8]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[9]  Kotagiri Ramamohanarao,et al.  Adjusted Probabilistic Packet Marking for IP Traceback , 2002, NETWORKING.

[10]  Ion Stoica,et al.  Providing guaranteed services without per flow management , 1999, SIGCOMM '99.

[11]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[12]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[13]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[14]  ZhangHui,et al.  Providing guaranteed services without per flow management , 1999 .

[15]  Nirwan Ansari,et al.  Tracing multiple attackers with deterministic packet marking (DPM) , 2003, 2003 IEEE Pacific Rim Conference on Communications Computers and Signal Processing (PACRIM 2003) (Cat. No.03CH37490).

[16]  Mooi Choo Chuah,et al.  Packetscore: statistics-based overload control against distributed denial-of-service attacks , 2004, IEEE INFOCOM 2004.

[17]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[18]  Yao Chen,et al.  A novel marking-based detection and filtering scheme against distributed denial of service attack , 2006 .

[19]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[20]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[21]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[22]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[23]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).