Skip to main content
SpringerLink
Log in

Packet Marking Based Cooperative Attack Response Service for Effectively Handling Suspicious Traffic

  • Conference paper
Information Security and Cryptology (Inscrypt 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4318))

Included in the following conference series:

Abstract

The security vulnerabilities in a network environment and their corresponding countermeasures have become more critical issues than ever. Although many researchers and vendors have introduced powerful mechanisms such as Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) for network security, the packet-based decision is not always correct, especially when those systems are involved in network traffics across multiple organizations under different security policies. In fact, some legitimate (normal) network traffics produce a similar pattern to that of malicious traffics such as Distributed Denial of Service (DDoS), and vice versa. We call those traffics suspicious. Suspicious traffic cannot be clearly designated as malicious or normal traffic. Since traditional IDS or IPS approaches make a simple binary decision (i.e., allow or reject) based on pre-defined rules, there is a high possibility that suspicious/legitimate packets are rejected or suspicious/malicious packets are allowed. To enhance the quality of service in a network environment, we propose in this paper a Packet Marking-Based Cooperative Attack Response Service (pm-CARS) that is able to effectively deal with suspicious network traffic. pm-CARS nodes cooperate with each other by using packet-marking. These pm-CARS nodes mark suspicious packets instead of dropping them. All the marked packets are forwarded to the next node using a low priority of service designation, which indicates the drop probability is very high. Our pm-CARS includes two schemes: abnormal IP address detection and abnormal excess traffic detection schemes. Our pm-CARS can reduce the false-positive rate and can protect the quality of service for innocent traffic from attacks. Finally, we simulate our ideas in a network environment and discuss the evaluation results.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Geng, X., Whinston, A.B.: Defeating Distributed Denial of Service Attacks. IT Pro., pp. 36–41 (2000)

    Google Scholar 

  2. Mirkovic, J., Reiher, P.: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. ACM SIGCOMM Computer Communications Review 34(2), 39–53 (2004)

    Article  Google Scholar 

  3. Risson, J., Moors, T.: Survey of Research towards Robust Peer-to-Peer Networks: Search Methods. IRTF draft-irtf-p2prg-survey-search-00.txt (2006)

    Google Scholar 

  4. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In: The 11th International World Wide Web Conference, pp. 252–262 (2002)

    Google Scholar 

  5. Afek, Y.: DDoS: Why You Need to Worry (How to Solve The Problem). In: 30th Annual computer security conference and Exhibition (2003)

    Google Scholar 

  6. Mahajan, R., Bellovin, S.M., Floyd, S., et al.: Controlling High Bandwidth Aggregates in the Network. ACM SIGCOMM Computer Communications Review 32(3), 62–73 (2002)

    Article  Google Scholar 

  7. Yau, D.K.Y., Lui, J.C.S., Liang, F.: Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In: Tenth IEEE International Workshop on Quality of Service, pp. 35–44 (2002)

    Google Scholar 

  8. Houle, K.J., Weaver, G.M.: Trends in Denial of Service Attack Technology. The fall 2001 NANOG meeting (2001)

    Google Scholar 

  9. Nichols, K., Blake, S., Baker, F., Black, D.: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. IETF RFC 2474

    Google Scholar 

  10. Baker, F., Weiss, W., Wroclawski, J.: Assured Forwarding PHB Group. IETF RFC 2597

    Google Scholar 

  11. Jacobson, V., Nichols, K., Poduri, K.: An Expedited Forwarding PHB. IETF RFC 2598

    Google Scholar 

  12. Leckie, C., Kotagiri, R.: A Probabilistic Approach to Detecting Network Scans. In: IEEE Network Operations and Management Symposium, pp. 359–372 (2002)

    Google Scholar 

  13. Schechter, S., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  14. Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: 12th USENIX Security Symposium (2003)

    Google Scholar 

  15. Templeton, S.J., Levitt, K.E.: Detecting Spoofed Packets. In: DARPA Information Survivability Conference and Exposition (2003)

    Google Scholar 

  16. Cisco: Unicast Reverse Path Forwarding (uRPF) Enhancements for the ISP-ISP Edge (2001), http://www.cisco.com/.../uRPF_Enhancement.pdf

  17. UCB/LBNL/VINT: Network simulator (ns) Notes and Documentation, http://www.isi.edu/nsnam/ns

Download references

Author information

Authors and Affiliations

  1. The Laboratory for Applied Information Security Technology (LAIST), School of Information Studies, Syracuse University, Syracuse, NY, 13244-4100, USA

    Gaeil An & Joon S. Park

Authors
  1. Gaeil An
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joon S. Park
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University College London, UK

    Helger Lipmaa

  2. Computer Science Department, Google Inc. and Columbia University, 1214 Amsterdam Avenue, 10027, New York, NY, USA

    Moti Yung

  3. SKLOIS Lab, Institute of Software, Chinese Academy of Sciences, 100080, Beijing, P.R. China

    Dongdai Lin

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

An, G., Park, J.S. (2006). Packet Marking Based Cooperative Attack Response Service for Effectively Handling Suspicious Traffic. In: Lipmaa, H., Yung, M., Lin, D. (eds) Information Security and Cryptology. Inscrypt 2006. Lecture Notes in Computer Science, vol 4318. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11937807_15

Download citation

  • DOI: https://doi.org/10.1007/11937807_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-49608-3

  • Online ISBN: 978-3-540-49610-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation