IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks

Distributed denial of service (DDoS) is one of the most difficult security problems to address. While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. We present a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The proposed scheme leverages on and generalizes the IP traceback schemes to obtain the information concerning whether a network edge is on the attacking path of an attacker ("infected") or not ("clean"). We observe that while an attacker will have all the edges on its path marked as "infected", edges on the path of a legitimate client will mostly be "clean". By preferentially filtering out packets that are inscribed with the marks of "infected" edges, the proposed scheme removes most of the DDoS traffic while affecting legitimate traffic only slightly. Simulation results based on real-world network topologies (e.g., Skitter) all demonstrate that the proposed technique can improve the throughput of legitimate traffic by 3 to 7 times during DDoS attacks.

[1]  Philip N. Klein,et al.  Using router stamping to identify the source of IP packets , 2000, CCS.

[2]  Jun Xu,et al.  IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[3]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[4]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[5]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[6]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[7]  Ari Juels,et al.  $evwu Dfw , 1998 .

[8]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[9]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[10]  Michael Weber,et al.  Protecting web servers from distributed denial of service attacks , 2001, WWW '01.

[11]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[12]  Jun Xu Sustaining Availability of Web Services under Severe Denial of Service Attacks , 2001 .

[13]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[14]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[15]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[16]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[17]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[18]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[19]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[20]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[21]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.