Skip to main content
Log in

A novel approach to detecting DDoS Attacks at an Early Stage

The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

Distributed Denial-of-Service (DDoS) attacks pose a serious threat to Internet security. Most current research focuses on detection and prevention methods on the victim server or source side. To date, there has been no work on defenses using valuable information from the innocent client whose IP has been used in attacking packets. In this paper, we propose a novel cooperative system for producing warning of a DDoS attack. The system consists of a client detector and a server detector. The client detector is placed on the innocent client side and uses a Bloom filter-based detection scheme to generate accurate detection results yet consumes minimal storage and computational resources. The server detector can actively assist the warning process by sending requests to innocent hosts. Simulation results show that the cooperative technique presented in this paper can yield accurate DDoS alarms at an early stage. We theoretically show the false alarm probability of the detection scheme, which is insensitive to false alarms when using specially designed evaluation functions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. Moore D, Voelker G, Savage S (2001) Inferring internet denial of service activity. In Proceedings of USENIX Security Symposium, Washington, DC, USA, pp 9–22

  2. Postel J (1981) Transmission Control Protocol: DARPA internet program protocol specification, RFC 793

  3. Chen Y (2000) Study on the prevention of SYN flooding by using traffic policing. In: Network Operations and Management Symposium 2000 IEEE/IFIP, pp 593–604

  4. Wang H, Zhang D, Shin KG (2002) Detecting SYN flooding attacks. In: Proceedings of Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM), vol. 3, pp 1530–1539

    Article  Google Scholar 

  5. Jin C, Wang HN, Shin KG (2003) Hop-count filtering: An effective defense against spoofed DDoS traffic. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS), ACM Press, pp 30–41

  6. Hussain A, Heidemann J, Papadopoulos C (2003) Denial-of-service: A framework for classifying denial of service attacks. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), Karlsruhe, Germany, pp 99–110

    Google Scholar 

  7. Keromytis A, Misra V, Rubenstein D (2002) SOS: Secure overlay services. In: ACM SIGCOMM Computer Communication Review, Proceedings of the 2002 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Pittsburgh, PA, vol. 32, pp 61–72

    Article  Google Scholar 

  8. Keromytis A, Misra V, Rubenstein, D (2004) SOS: An architecture for mitigating DDoS attacks. IEEE Journal on Selected Areas in Communications 22:176–188

    Article  Google Scholar 

  9. Stavrou A, Keromytis AD, Nieh J, Misra V, Rubenstein D (2005) MOVE: An End-to-End solution to network denial of service. In: Proceedings of the 12th Symposium on Network and Distributed System Security (NDSS)

  10. Morein WG, Stavrou A, Cook DL, Keromytis AD, Misra V, Rubenstein D, (2003) DOS protection: Using graphic turing tests to counter automated DDoS attacks against web servers. In: Proceedings of the 10th ACM Conference on Computer and Communications Security,Washington, DC, USA, pp 8–19

  11. XiaoFeng Wang MKR (2004) Mitigating bandwidth-exhaustion attacks using congestion puzzles. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04), Washington DC, USA, pp 257–267

  12. Waters B, Juels A, Halderman JA, Felten EW (2004) New client puzzle outsourcing techniques for DoS resistance. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04), Washington DC, USA, pp 246–256

  13. Mirkovic J, Prier G (2002) Attacking DDoS at the source. In In: 10th Proceedings of the IEEE International Conference on Network Protocols, Paris, France, pp 312–321

  14. Ferguso P, Senie D (2000) Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing

  15. Song DX, Perrig A (2001) Advanced and authenticated marking schemes for IP traceback. In: Proceeding of Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), pp 878–886

  16. Sung M, Xu J (2003) IP traceback-based intelligent packet filtering: A novel technique for defending against internet DDoS attacks. IEEE Transactions on Parallel and Distributed Systems 14:861–872

    Article  Google Scholar 

  17. Snoeren AC (2001) Hash-based IP traceback. In: Proceedings of the ACM SIGCOMM Conference, ACM Press, pp 3–14

  18. Bellovin SM (2000) ICMP traceback messages. Technical report

  19. Ioannidis J, Bellovin SM (2002) Implementing pushback: Router-based defense against DDoS attacks. In: Proceedings of Network and Distributed System Security Symposium (NDSS), Catamaran Resort Hotel San Diego, California, The Internet Society

  20. Bloom BH (1970) Space time trade-offs in hash coding with allowable errors. Communications of the ACM 13:422–426

    Article  MATH  Google Scholar 

  21. Abdelsayed S, Glimsholt D, Leckie C, Ryan S, Shami S (2003) An efficient filter for denial-of-service bandwidth attacks. In: IEEE Global Telecommunications Conference (GLOBECOM’03), vol. 3, pp 1353–1357

    Google Scholar 

  22. Chan E, Chan H, Chan K, Chan V, Chanson S (2004) IDR: An intrusion detection router for defending against distributed denial-of-service(DDoS) attacks. In: Proceedings of the 7th International Symposium on Parallel Architectures, Algorithms and Networks 2004 (ISPAN’04), pp 581–586

  23. Chang RK (2002) Defending against flooding-based distributed denial-of-service attacks: a tutorial. Communications Magazine, IEEE 40:42–51

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Bin Xiao.

Additional information

This work is partially supported by HK Polyu ICRG A-PF86 and CERG Polyu 5196/04E, and by the National Natural Science Foundation of China under Grant No. 90104005.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Xiao, B., Chen, W. & He, Y. A novel approach to detecting DDoS Attacks at an Early Stage. J Supercomput 36, 235–248 (2006). https://doi.org/10.1007/s11227-006-8295-0

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-006-8295-0

Keywords

Navigation