Abstract
Distributed Denial-of-Service (DDoS) attacks misuse network resource and bring serious threats to the internet. Detecting DDoS at the source-end has many advantages over defense at the victim-end and intermediate-network. However, one of the main problems for source-end methods is the performance degradation brought by these methods and no direct benefit for Internet Service Provider(ISP), which discourages ISPs to deploy the defense system. We propose an efficient detection approach, which only requires limited fixed-length memory and low computation overhead but provides satisfying detection results. Our method is also beneficial because the method can not only detect direct DDoS attack for other ISPs, but also protect the ISP itself from reflector DDoS attack. The efficient and beneficial defense is practical and expected to attract more ISPs to join the cooperation. The experiments results show our approach is efficient and feasible for defense at the source-end.
This work is supported by the National Natural Science Foundation of China under Grant No. 90104005.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Chang, R.K.: Defending against flooding-based distributed denial-of-service attacks: a tutorial. Communications Magazine, IEEE 40, 42–51 (2002)
Postel, J.: Transmission Control Protocol: DARPA internet program protocol specification, RFC 793 (1981)
Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing (2000)
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13, 422–426 (1970)
Wang, H., Zhang, D., Shin, K.G.: Detecting SYN flooding attacks. In: Proceedings of IEEE INFOCOM, vol. 3, pp. 1530–1539 (2002)
Jin, C., Wang, H.N., Shin, K.G.: Hop-count filtering: An effective defense against spoofed DDoS traffic. In: Proceedings of the 10th ACM conference on Computer and communication security (CCS), pp. 30–41. ACM Press, New York (2003)
Lemon, J.: Resisting SYN flood DoS attacks with a SYN cache. In: Proceedings of the BSDCon 2002 Conference (2002)
Mirkovic, J., Prier, G.: Attacking DDoS at the source. In: 10th Proceedings of the IEEE International Conference on Network Protocols, Paris, France (2002)
Yaar, A., Perrig, A., Song, D.: SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks. In: Proceedings of 2004 IEEE Symposium, Security and Privacy, pp. 130–143 (2004)
Tupakula, U., Varadharajan, V.: Counteracting DDoS attacks in multiple ISP domains using routing arbiter architecture. In: The 11th IEEE International Conference on Networks ICON, pp. 455–460 (2003)
Sung, M., Xu, J.: IP traceback-based intelligent packet filtering: A novel technique for defending against internet DDoS attacks. IEEE Transactions on Parallel and Distributed Systems 14, 861–872 (2003)
Dean, D., Franklin, M., Stubblefield, A.: An algebraic approach to IP traceback. Information and System Security 5, 119–137 (2002)
Park, K., Lee, H.: On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. In: INFOCOM, pp. 338–347 (2001)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proceedings of the ACM SIGCOMM Conference, pp. 295–306. ACM Press, New York (2000)
Snoeren, A.C.: Hash-based IP traceback. In: Proceedings of the ACM SIGCOMM Conference, pp. 3–14. ACM Press, New York (2001)
Song, D.X., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: INFOCOM 2001, pp. 878–886 (2001)
Ioannidis, J., Bellovin, S.M.: Implementing pushback: Router-based defense against DDoS attacks. In: Proceedings of Network and Distributed System Security Symposium, Catamaran Resort Hotel, San Diego. The Internet Society, California (2002)
Schuba, C.L., Krsul, I.V., Kuhn, M.G., Spafford, E.H., Sundaram, A., Zamboni, D.: Analysis of a denial of service attack on TCP. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp. 208–223. IEEE Computer Society Press, Los Alamitos (1997)
Abdelsayed, S., Glimsholt, D., Leckie, C., Ryan, S., Shami, S.: An efficient filter for denial-of-service bandwidth attacks. In: IEEE Global Telecommunications Conference, GLOBECOM 2003, vol. 3, pp. 1353–1357 (2003)
Chan, E., Chan, H., Chan, K.M., Chan, V.C.S., et al.: IDR: an intrusion detection router for defending against distributed denial-of-service(DDoS) attacks. In: Proceedings of the 7th International Symposium on Parallel Architectures, Algorithms and Networks 2004 (ISPAN 2004), pp. 581–586 (2004)
Network Simulator, NS2, http://www.isi.edu/nsnam/ns/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
He, Y., Chen, W., Peng, W., Yang, M. (2005). Efficient and Beneficial Defense Against DDoS Direct Attack and Reflector Attack. In: Pan, Y., Chen, D., Guo, M., Cao, J., Dongarra, J. (eds) Parallel and Distributed Processing and Applications. ISPA 2005. Lecture Notes in Computer Science, vol 3758. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11576235_59
Download citation
DOI: https://doi.org/10.1007/11576235_59
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29769-7
Online ISBN: 978-3-540-32100-2
eBook Packages: Computer ScienceComputer Science (R0)