Abstract
Cybercriminals are learning to harness the power of simpler devices like connected cameras. In September of 2016, Mirai software was used to infect more than 100,000 devices and unleash one of the largest distributed denial-of-service (DDoS) attacks up to that time. After this incident, many people identified multiple large attacks coming from Internet of Things (IoT) devices, like CCTV cameras, and described these attacks as a new trend. A technique to detect whether a signal source is counterfeited in the initial stage of a DDoS attack is important. This paper proposes a method for the quick detection of a spoofed Internet protocol (IP) during a DDoS attack based on a DDoS shelter that is established to defend against DDoS attacks. In order to achieve this goal, we evaluate the number of time-to-live hops in normal traffic as a reference for the bandwidth of each network that is accessible to the DDoS shelter. In this study, we conduct an experiment using cases of actual DDoS attacks. As a result of this experiment, we prove that our proposed method quickly detects a spoofed IP.
Similar content being viewed by others
References
Xu T, Wendt JB, Potkonjak M (2014) Security of IoT systems: design challenges and opportunities. In: Proceedings of the 2014 IEEE/ACM international conference on computer-aided design (ICCAD ’14), pp 417–423
Hee KN (2014) Standard technology trends for internet security of things. J Korean Inst Commun Sci 31 (9):40–45
Peng T, Leckie C, Ramamohanarao K (2007) Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput Surv (CSUR) 39(1):1–42
Ryba FJ, Orlinski M, Wählisch M, Rossow C, Schmidt TC (2015) Amplification and DRDoS attack defense—a survey and new perspectives. arXiv preprint, arXiv:1505.07892, pp 1–26
Saboor A, Aslam B (2015) Analyses of flow based techniques to detect distributed denial of service attacks. In: Proceedings of applied sciences and technology, pp 354–362
Hong S (2015) Efficient and secure DNS cyber shelter on DDoS attacks. J Comput Virol Hack Tech 11 (3):129–136
Default TTL Values in TCP/IP, http://www.map.meteoswiss.ch/map-doc/ftp-probleme.htm. to appear in 2017
Seo JW, Lee SJ (2015) A study on the detection of DDoS attack using the IP Spoofing. J Korea Inst Inf Secur Crytol 25(1):147–153
Raw Sockets, http://msdn.microsoft.com/en-us/library/windows/desktop/ms740463(v=vs.85).aspx, to appear 2017
Manusankar C, Karthik S, Rajendran T (2010) Intrusion detection system with packet filtering for IP spoofing. In: Communication and computational intelligence (INCOCCI), pp 563–567
Al-Duwair B, Daniels TE (2004) Topology based packet marking. In: Proceedings of the 13th international conference on computer communications and networks (ICCCN), pp 146–151
Li L, Shen SB (2008) Packet track and traceback mechanism against denial of service attacks. J China Univ Posts Telecommun 15(3):51–58
Chang NB, Liu M (2007) Controlled flooding search in a large network. IEEE/ACM Trans Netw 15 (2):436–449
Wan Z, Zhang Y, Cao T (2009) A novel authenticated packet marking scheme for IP trace-back. In: Proceedings of 2nd IEEE international conference computer science and information technology (ICCSIT 2009), pp 150–153
Bremler-Barr A, Levy H (2005) Spoofing prevention method. In: Proceedings of IEEE INFOCOM, vol 1, pp 536–547
Yaar A, Perrig A, Song D (2006) StackPi: new packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE J Sel Areas Commun 24(10):1853–1863
Vaidyanathan R, Sawaya GA (2012) On the use of enhanced bogon lists (EBLs) to detect malicious traffic. In: Computing networking and communications (ICNC), pp 1–6
White Paper (2005) Unicast reverse path forwarding enhancements for the Internet service provider—Internet service provider network edge. Cisco Systems, Inc., pp 1–19
Cisco IOS Security Configuration Guide (2014) Cisco IOS Security Configuration Guide, Configuring TCP Intercept (preventing denial-of-service attacks). Cisco IOS Release 15M&T, pp 1–18
Wang H, Jin C, Shi KG (2007) Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans Netw 15(1):40–53
Smart M, Malan GR, Jahanian F (2000) Defeating TCP/IP stack fingerprinting. In: Proceedings of the 9th USENIX security symposium, pp 1–11
Hainging W, Cheng J, Kang S (2007) Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans Netw 15(1):40–53
Nameserver DoS Attack Report, http://www.caida.org/projects/dns/dns-root-gtld/status.xml (2002)
NMS Project Quarterly Report, http://www.caida.org/funding/nms/reports/quarterly_0901.xml (2004)
Fomenkov M, Claffy KC, Huffaker B, Moore D (2001) Macroscopic Internet topology and performance measurements from the DNS root name servers. In: LISA 2001, pp 231–240
Anshu S, Monika S (2015) Analysis and implementation of BRO IDS using signature script. In: Soft computing techniques and implementations, pp 57–60
p0f v3: passive fingerprinter, http://lcamtuf.coredump.cx/p0f3/README, to appear 2017
Korea Internet White Paper (2011) Korea Internet & Security Agency, pp 142–142
Funding
This work was supported under the framework of the international cooperation program managed by the National Research Foundation of Korea (2016K2A9A2A05005255).
Author information
Authors and Affiliations
Corresponding authors
Rights and permissions
About this article
Cite this article
Lee, YJ., Baik, NK., Kim, C. et al. Study of detection method for spoofed IP against DDoS attacks. Pers Ubiquit Comput 22, 35–44 (2018). https://doi.org/10.1007/s00779-017-1097-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00779-017-1097-y