Abstract
Distributed Denial-of-Service (DDoS) attacks pose a serious threat to Internet security. Most current research focuses on detection and prevention methods on the victim server or source side. To date, there has been no work on defenses using valuable information from the innocent client whose IP has been used in attacking packets. In this paper, we propose a novel cooperative system for producing warning of a DDoS attack. The system consists of a client detector and a server detector. The client detector is placed on the innocent client side and uses a Bloom filter-based detection scheme to generate accurate detection results yet consumes minimal storage and computational resources. The server detector can actively assist the warning process by sending requests to innocent hosts. Simulation results show that the cooperative technique presented in this paper can yield accurate DDoS alarms at an early stage. We theoretically show the false alarm probability of the detection scheme, which is insensitive to false alarms when using specially designed evaluation functions.
References
Moore D, Voelker G, Savage S (2001) Inferring internet denial of service activity. In Proceedings of USENIX Security Symposium, Washington, DC, USA, pp 9–22
Postel J (1981) Transmission Control Protocol: DARPA internet program protocol specification, RFC 793
Chen Y (2000) Study on the prevention of SYN flooding by using traffic policing. In: Network Operations and Management Symposium 2000 IEEE/IFIP, pp 593–604
Wang H, Zhang D, Shin KG (2002) Detecting SYN flooding attacks. In: Proceedings of Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM), vol. 3, pp 1530–1539
Jin C, Wang HN, Shin KG (2003) Hop-count filtering: An effective defense against spoofed DDoS traffic. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS), ACM Press, pp 30–41
Hussain A, Heidemann J, Papadopoulos C (2003) Denial-of-service: A framework for classifying denial of service attacks. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), Karlsruhe, Germany, pp 99–110
Keromytis A, Misra V, Rubenstein D (2002) SOS: Secure overlay services. In: ACM SIGCOMM Computer Communication Review, Proceedings of the 2002 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Pittsburgh, PA, vol. 32, pp 61–72
Keromytis A, Misra V, Rubenstein, D (2004) SOS: An architecture for mitigating DDoS attacks. IEEE Journal on Selected Areas in Communications 22:176–188
Stavrou A, Keromytis AD, Nieh J, Misra V, Rubenstein D (2005) MOVE: An End-to-End solution to network denial of service. In: Proceedings of the 12th Symposium on Network and Distributed System Security (NDSS)
Morein WG, Stavrou A, Cook DL, Keromytis AD, Misra V, Rubenstein D, (2003) DOS protection: Using graphic turing tests to counter automated DDoS attacks against web servers. In: Proceedings of the 10th ACM Conference on Computer and Communications Security,Washington, DC, USA, pp 8–19
XiaoFeng Wang MKR (2004) Mitigating bandwidth-exhaustion attacks using congestion puzzles. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04), Washington DC, USA, pp 257–267
Waters B, Juels A, Halderman JA, Felten EW (2004) New client puzzle outsourcing techniques for DoS resistance. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04), Washington DC, USA, pp 246–256
Mirkovic J, Prier G (2002) Attacking DDoS at the source. In In: 10th Proceedings of the IEEE International Conference on Network Protocols, Paris, France, pp 312–321
Ferguso P, Senie D (2000) Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing
Song DX, Perrig A (2001) Advanced and authenticated marking schemes for IP traceback. In: Proceeding of Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), pp 878–886
Sung M, Xu J (2003) IP traceback-based intelligent packet filtering: A novel technique for defending against internet DDoS attacks. IEEE Transactions on Parallel and Distributed Systems 14:861–872
Snoeren AC (2001) Hash-based IP traceback. In: Proceedings of the ACM SIGCOMM Conference, ACM Press, pp 3–14
Bellovin SM (2000) ICMP traceback messages. Technical report
Ioannidis J, Bellovin SM (2002) Implementing pushback: Router-based defense against DDoS attacks. In: Proceedings of Network and Distributed System Security Symposium (NDSS), Catamaran Resort Hotel San Diego, California, The Internet Society
Bloom BH (1970) Space time trade-offs in hash coding with allowable errors. Communications of the ACM 13:422–426
Abdelsayed S, Glimsholt D, Leckie C, Ryan S, Shami S (2003) An efficient filter for denial-of-service bandwidth attacks. In: IEEE Global Telecommunications Conference (GLOBECOM’03), vol. 3, pp 1353–1357
Chan E, Chan H, Chan K, Chan V, Chanson S (2004) IDR: An intrusion detection router for defending against distributed denial-of-service(DDoS) attacks. In: Proceedings of the 7th International Symposium on Parallel Architectures, Algorithms and Networks 2004 (ISPAN’04), pp 581–586
Chang RK (2002) Defending against flooding-based distributed denial-of-service attacks: a tutorial. Communications Magazine, IEEE 40:42–51
Author information
Authors and Affiliations
Corresponding author
Additional information
This work is partially supported by HK Polyu ICRG A-PF86 and CERG Polyu 5196/04E, and by the National Natural Science Foundation of China under Grant No. 90104005.
Rights and permissions
About this article
Cite this article
Xiao, B., Chen, W. & He, Y. A novel approach to detecting DDoS Attacks at an Early Stage. J Supercomput 36, 235–248 (2006). https://doi.org/10.1007/s11227-006-8295-0
Issue Date:
DOI: https://doi.org/10.1007/s11227-006-8295-0