Intrusion Detection Routers: Design, Implementation and Evaluation Using an Experimental Testbed

In this paper, we present the design, the implementation details, and the evaluation results of an intrusion detection and defense system for distributed denial-of-service (DDoS) attack. The evaluation is conducted using an experimental testbed. The system, known as intrusion detection router (IDR), is deployed on network routers to perform online detection on any DDoS attack event, and then react with defense mechanisms to mitigate the attack. The testbed is built up by a cluster of sufficient number of Linux machines to mimic a portion of the Internet. Using the testbed, we conduct real experiments to evaluate the IDR system and demonstrate that IDR is effective in protecting the network from various DDoS attacks

[1]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[2]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[3]  Van Jacobson,et al.  Congestion avoidance and control , 1988, SIGCOMM '88.

[4]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[5]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[6]  V. Jacobson,et al.  Congestion avoidance and control , 1988, CCRV.

[7]  Danielle Liu,et al.  Application profiling of IP traffic , 2002, 27th Annual IEEE Conference on Local Computer Networks, 2002. Proceedings. LCN 2002..

[8]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[9]  C. F. Chong,et al.  IDR: an intrusion detection router for defending against distributed denial-of-service (DDoS) attacks , 2004, 7th International Symposium on Parallel Architectures, Algorithms and Networks, 2004. Proceedings..

[10]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[11]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[12]  Van Jacobson,et al.  Link-sharing and resource management models for packet networks , 1995, TNET.

[13]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[14]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[15]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[16]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[17]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[18]  Jennifer Widom,et al.  Models and issues in data stream systems , 2002, PODS.

[19]  Shravan K. Rayanchu,et al.  Tracing Attackers with Deterministic Edge Router Marking (DERM) , 2004, ICDCIT.

[20]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[21]  Richard M. Karp,et al.  A simple algorithm for finding frequent elements in streams and bags , 2003, TODS.

[22]  Kamil Saraç,et al.  Single packet IP traceback in AS-level partial deployment scenario , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[23]  Jamal Hadi Salim,et al.  Beyond Softnet , 2001, Annual Linux Showcase & Conference.

[24]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[25]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[26]  Hao Jiang,et al.  Source-level IP packet bursts: causes and effects , 2003, IMC '03.

[27]  R. Power CSI/FBI computer crime and security survey , 2001 .

[28]  Sally Floyd,et al.  Notes on Class-Based Queueing : Setting Parameters , 1996 .

[29]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[30]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[31]  Mooi Choo Chuah,et al.  Packetscore: statistics-based overload control against distributed denial-of-service attacks , 2004, IEEE INFOCOM 2004.

[32]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[33]  Werner Almesberger,et al.  Linux Network Traffic Control -- Implementation Overview , 1999 .

[34]  Kang G. Shin,et al.  Stochastic fair blue: a queue management algorithm for enforcing fairness , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).