Traceback-Based Bloomfilter IPS in Defending SYN Flooding Attack

Recently, the key of network security is turning from passive detection to active defense. However, most works focused on how fast it can detect the DDoS attack and start defence, and existing methods for differentiating DDoS attack packets, especially SYN flooding attacks, are too time-expensive. When SYN flooding started, victim servers have to call for a lot of memory, usually more than 500MB, to store the attack packets. To make the differentiating scheme more robust, we record the TCP session statistics (IP-TTL) of SYN packets in a Traceback-based Bloom Filter (TBF), and as the attacks start, we match the SYN packets and IP-TTL statistics to differentiate the attacks packets. In addition, we introduce the trace-back strategy to filter the frequently attacked TBF's IP. In comparison with current methods, the proposed approach can both hold back large-scale fake IP and defend IP Spoofing. Experiments verify that once applied the proposed method in Snort_inline, the hold back precision is 98.65% and the semi-join queue is almost empty, otherwise, the precision is near to zero and the semi-join queue is full.

[1]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[2]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[3]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[4]  Michael Mitzenmacher,et al.  Compressed bloom filters , 2001, PODC '01.

[5]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[6]  Kang G. Shin,et al.  Hop-Count Filtering : An Effective Defense Against Spoofed Traffic , 2003 .

[7]  Jie Gao,et al.  Weighted Bloom filter , 2006, 2006 IEEE International Symposium on Information Theory.

[8]  Li Fan,et al.  Summary cache: a scalable wide-area Web cache sharing protocol , 1998, SIGCOMM '98.

[9]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[10]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[11]  B. Noble,et al.  On certain integrals of Lipschitz-Hankel type involving products of bessel functions , 1955, Philosophical Transactions of the Royal Society of London. Series A, Mathematical and Physical Sciences.

[12]  Wei Chen,et al.  Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[13]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[14]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[15]  Wei Chen,et al.  Detecting SYN Flooding Attacks Near Innocent Side , 2005, MSN.

[16]  Bin Liu,et al.  A Robust Scheme to Detect SYN Flooding Attacks , 2007, 2007 Second International Conference on Communications and Networking in China.