ABSTRACT
Due to proliferation of diverse network applications, DoS/DDoS attacks are evolving. Many studies have been performed and implemented in on/off-line network devices such as routers and IDS/IPS. While IDS/IPS is powerful enough to handle deep packet inspection (DPI) tasks, routers are better suited in real-time and line-speed processing requirements. Since the routers are designed to handle IP packet header information, if one can devise an DoS/DDoS detection/prevention methods that utilizes the router specific features it will be best for the in-line and real-time processing. We introduce a Flow based DoS/DDoS detection algorithm(FDDA) that detects Distributed Denial of Service (DDoS) attacks by monitoring TTL and ID fields of incoming packet's IP header. As DDoS attacks are based on IP source address spoofing, the TTL and ID fields may have abnormal behavior. The device keeps track of 8-tuple flow table. The behavior of these two fields is monitored to determine DoS/DDoS attack situation. The effectiveness of our method is such that it is implemented flow-based routers and devices.
- Stephen M. Specht and Ruby B. Lee, "Distributed Denial of Service: Taxonomies of Attacks, Tools and Countermeasures", 2004 International Workshop on Security in Parallel and Distributed Systems, pp. 543--550, September 2004.Google Scholar
- J. Ioannidis and S. M. Bellovin. "Implementing pushback: Router-based defense against ddos attacks", In Proceedings of NDSS'2002, February 2002.Google Scholar
- RFC1349, "Internet Protocol", 1992.Google Scholar
- Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson, "Practical Network Support for IP Traceback", In ACM SIGCOMM, August 2000. Google ScholarDigital Library
- Drew Dean, Matt Franklin and A. Stubblefield, "An algebraic approach to ip traceback", Proceedings of NDSS '01, February 2001.Google Scholar
- Steve M. Bellovin, "ICMP Traceback Messages. Work in Progress", Internet Draft draftbellovin- itrace-00.txt, March 2000.Google Scholar
- Dawn X. Song and Adrian Perrig. "Advanced and authenticated marking schemes for ip traceback". In Proceedings of IEEE INFOCOM 2001, 2001.Google Scholar
- Tao Peng, Christopher Leckie and Kotagiri Ramamohanarao, "Adjusted probabilistic packet marking for ip traceback", In Proceedings of Networking 2002, May 2002. Google ScholarDigital Library
- P. Ferguson and D. Senie. "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing", In RFC 2267, January 1998.Google ScholarDigital Library
- J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, "Save: Source address validity enforcement protocol", In Proceedings of IEEE INFOCOM '2002, June 2002.Google Scholar
- K. Park and H. Lee, "On the effectiveness of route-based packet filtering for distributed dos attack prevention in power-law internets", In Proceedings of ACM SIGCOMM '2001, August 2001. Google ScholarDigital Library
- Yi Xie and Shun-Zheng Yu, "A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors", IEEE/ACM Transaction on Networking, Vol 17, Feb. 2009. Google ScholarDigital Library
- RFC2113, "IP Router Alert Option", 1997.Google Scholar
- RFC1191, "Path MTU Discovery:, 1990Google Scholar
- Jelena Mirkovic, Peter Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms", ACM, 2004Google Scholar
- Kensuke Nakata, Hiroki Takakura, Yasuo Okabe, "An analysis of IDS alerts to grasp the situation of DDoS attack to a third party", NETSAP, 2010Google Scholar
- C Jin, H Wang, K G Shin, "Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic", 10th ACM conference, 2003 Google ScholarDigital Library
- Ruiliang Chen, Jung-Min Park, "A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks", IEEE, 2007Google Scholar
- Chao Gong, Kamil Sarac, "A More Practical Approach for Single-Packet IP Traceback Using Packet Logging and Marking", IEEE, 2008Google Scholar
- Tsz-Yeung Wong, Man-Hon Wong, Chi-Shing (John) Lui, "A Precise Termination Condition of the Probabilistic Packet Marking Algorithm", IEEE, 2008Google Scholar
- F. A. El-Moussa, N. Linge, M. Hope, "Active router approach to defeating denial-of-service attacks in networks", IEEE, 2007Google ScholarCross Ref
- Yu Chen, Kai Hwang, Wei-Shinn Ku, "Collaborative Detection of DDoS Attacks over Multiple Network Domains", IEEE, 2007Google Scholar
- Zhenhai Duan, Xin Yuan, Jaideep Chandrashekar, "Controlling IP Spoofing through Interdomain Packet Filters", IEEE, 2006Google Scholar
- The Swiss Education and Research Network. Default TTL values in TCP/IP, 2002. Available: http://secfr.nerim.net/docs/fingerprint/en/ttldefault.html.Google Scholar
Index Terms
- An effective defense mechanism against DoS/DDoS attacks in flow-based routers
Recommendations
DDoS attacks and defense mechanisms: classification and state-of-the-art
Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today's Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With ...
Typical DoS/DDoS Threats under IPv6
ICCGI '07: Proceedings of the International Multi-Conference on Computing in the Global Information TechnologyThe DoS/DDoS attacks are always the leading threats to the Internet. With the development of Internet, IPv6 is inevitably taking the place of IPv4 as the main protocol of Internet. So the security issues of IPv6 become the focus of the present research. ...
An autonomous defense against SYN flooding attacks: Detect and throttle attacks at the victim side independently
Distributed denial of service (DDoS) attacks seriously threaten Internet services yet there is currently no defence against such attacks that provides both early detection, allowing time for counteraction, and an accurate response. Traditional detection ...
Comments