TRACK: A Novel Approach for Defending Against Distributed Denial-of-Service Attacks

نویسندگان

  • Ruiliang Chen
  • Jung-Min Park
  • Randolph Marchany
چکیده

This paper presents a novel countermeasure against Distributed Denial-of-Service (DDoS) attacks that we call the rouTer poRt mArking and paCKet filtering (TRACK), which includes the functions of both IP traceback and packet filtering. TRACK is a comprehensive solution that is composed of two components: a router port marking module and a packet filtering module. The former is a novel packet marking scheme for IP traceback and the latter is a novel packet filtering scheme that utilizes the information gathered from the former component. The router port marking scheme marks packets by probabilistically writing a router interface’s port number, a locally unique 6-digit identifier, to the packets it transmits. After collecting the packets marked by each router in an attacking path, a victim machine can use the information contained in those packets to trace the attack back to its source (i.e., solve the “IP traceback” problem). In the packet filtering component, the information contained in the same packets are used to filter the malicious packets at the upstream routers (i.e., routers located in the direction towards the attackers), thus effectively mitigating attacks. Because very little space is required to mark a port number, TRACK allows us to include attack signature information along with the port number within a single packet’s IP header. The resulting advantage is three fold: (1) a significantly less number of packets need to be collected to traceback the attack source compared to previous IP traceback schemes, (2) very little computation overhead is required in the traceback process, and (3) scalability: a large number of attackers (i.e., zombies) can be traced back efficiently. Because TRACK uses the router interface instead of the entire router as the “atomic unit” for IP traceback and packet filtering, it can accomplish these tasks with much finer granularity, which helps to lower the false positives. In the paper, we also show that TRACK supports gradual deployment . Index terms – Distributed Denial-of-Service, IP Traceback, Packet Filtering, Network Security.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

HF-Blocker: Detection of Distributed Denial of Service Attacks Based On Botnets

Abstract—Today, botnets have become a serious threat to enterprise networks. By creation of network of bots, they launch several attacks, distributed denial of service attacks (DDoS) on networks is a sample of such attacks. Such attacks with the occupation of system resources, have proven to be an effective method of denying network services. Botnets that launch HTTP packet flood attacks agains...

متن کامل

Neural Network Based Protection of Software Defined Network Controller against Distributed Denial of Service Attacks

Software Defined Network (SDN) is a new architecture for network management and its main concept is centralizing network management in the network control level that has an overview of the network and determines the forwarding rules for switches and routers (the data level). Although this centralized control is the main advantage of SDN, it is also a single point of failure. If this main contro...

متن کامل

Defending Against DDoS Attacks in Bloom Filter based Multicasting

Bloom filter (BF) based forwarding is an effective approach to implement scalable multicasting in distributed systems. The forwarding BF carried by each packet can encode either multicast tree or destination IP addresses, which are termed as tree oriented approach (TOA) and destination oriented approach (DOA), respectively. Recent studies have indicated that TOA based protocols have serious vul...

متن کامل

Defending against Distributed Denial-of-Service Attacks with Weight-Fair Router Throttles

A high profile internet server is always a target of denial-of-service attacks. In this project, we propose a novel technique for protecting an internet server from distributed denial-of-service attacks. The defense mechanism is based on a distributed algorithm that performs weight-fair throttling at the upstream routers. The throttling is weight-fair because the traffics destined for the serve...

متن کامل

Protection from distributed denial of service attacks using history-based IP filtering

In this paper, we introduce a practical scheme to defend against Distributed Denial of Service (DDoS) attacks based on IP source address filtering. The edge router keeps a history of all the legitimate IP addresses which have previously appeared in the network. When the edge router is overloaded, this history is used to decide whether to admit an incoming IP packet. Unlike other proposals to de...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2005