Abstract
The security vulnerabilities in a network environment and their corresponding countermeasures have become more critical issues than ever. Although many researchers and vendors have introduced powerful mechanisms such as Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) for network security, the packet-based decision is not always correct, especially when those systems are involved in network traffics across multiple organizations under different security policies. In fact, some legitimate (normal) network traffics produce a similar pattern to that of malicious traffics such as Distributed Denial of Service (DDoS), and vice versa. We call those traffics suspicious. Suspicious traffic cannot be clearly designated as malicious or normal traffic. Since traditional IDS or IPS approaches make a simple binary decision (i.e., allow or reject) based on pre-defined rules, there is a high possibility that suspicious/legitimate packets are rejected or suspicious/malicious packets are allowed. To enhance the quality of service in a network environment, we propose in this paper a Packet Marking-Based Cooperative Attack Response Service (pm-CARS) that is able to effectively deal with suspicious network traffic. pm-CARS nodes cooperate with each other by using packet-marking. These pm-CARS nodes mark suspicious packets instead of dropping them. All the marked packets are forwarded to the next node using a low priority of service designation, which indicates the drop probability is very high. Our pm-CARS includes two schemes: abnormal IP address detection and abnormal excess traffic detection schemes. Our pm-CARS can reduce the false-positive rate and can protect the quality of service for innocent traffic from attacks. Finally, we simulate our ideas in a network environment and discuss the evaluation results.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Geng, X., Whinston, A.B.: Defeating Distributed Denial of Service Attacks. IT Pro., pp. 36–41 (2000)
Mirkovic, J., Reiher, P.: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. ACM SIGCOMM Computer Communications Review 34(2), 39–53 (2004)
Risson, J., Moors, T.: Survey of Research towards Robust Peer-to-Peer Networks: Search Methods. IRTF draft-irtf-p2prg-survey-search-00.txt (2006)
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In: The 11th International World Wide Web Conference, pp. 252–262 (2002)
Afek, Y.: DDoS: Why You Need to Worry (How to Solve The Problem). In: 30th Annual computer security conference and Exhibition (2003)
Mahajan, R., Bellovin, S.M., Floyd, S., et al.: Controlling High Bandwidth Aggregates in the Network. ACM SIGCOMM Computer Communications Review 32(3), 62–73 (2002)
Yau, D.K.Y., Lui, J.C.S., Liang, F.: Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In: Tenth IEEE International Workshop on Quality of Service, pp. 35–44 (2002)
Houle, K.J., Weaver, G.M.: Trends in Denial of Service Attack Technology. The fall 2001 NANOG meeting (2001)
Nichols, K., Blake, S., Baker, F., Black, D.: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. IETF RFC 2474
Baker, F., Weiss, W., Wroclawski, J.: Assured Forwarding PHB Group. IETF RFC 2597
Jacobson, V., Nichols, K., Poduri, K.: An Expedited Forwarding PHB. IETF RFC 2598
Leckie, C., Kotagiri, R.: A Probabilistic Approach to Detecting Network Scans. In: IEEE Network Operations and Management Symposium, pp. 359–372 (2002)
Schechter, S., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)
Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: 12th USENIX Security Symposium (2003)
Templeton, S.J., Levitt, K.E.: Detecting Spoofed Packets. In: DARPA Information Survivability Conference and Exposition (2003)
Cisco: Unicast Reverse Path Forwarding (uRPF) Enhancements for the ISP-ISP Edge (2001), http://www.cisco.com/.../uRPF_Enhancement.pdf
UCB/LBNL/VINT: Network simulator (ns) Notes and Documentation, http://www.isi.edu/nsnam/ns
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
An, G., Park, J.S. (2006). Packet Marking Based Cooperative Attack Response Service for Effectively Handling Suspicious Traffic. In: Lipmaa, H., Yung, M., Lin, D. (eds) Information Security and Cryptology. Inscrypt 2006. Lecture Notes in Computer Science, vol 4318. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11937807_15
Download citation
DOI: https://doi.org/10.1007/11937807_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-49608-3
Online ISBN: 978-3-540-49610-6
eBook Packages: Computer ScienceComputer Science (R0)