IP Traceback-based Intelligent Packet Filtering: A Novel Technique for Defending Against Internet DDoS Attacks
Author(s)
Sung, Min-Ho
Xu, Jun
Advisor(s)
Editor(s)
Collections
Supplementary to:
Permanent Link
Abstract
Distributed Denial of service (DDoS) is one of the most difficult security
problems to address. While many existing techniques (e.g., IP traceback)
focus on tracking the location of the attackers after-the-fact, little is
done to mitigate the effect of an attack while it is raging on. In this paper, we present a novel technique
that can effectively filter out the majority of DDoS traffic, thus improving
the overall throughput of the legitimate traffic. The proposed scheme
leverages on and generalizes the IP traceback schemes to obtain the
information concerning whether a network edge is on the attacking path of an attacker ("infected") or not
("clean"). We observe that while an attacker will have all the edges on
its path marked as "infected", edges on the path of a legitimate client
will mostly be "clean". By preferentially filtering out packets that are
inscribed with the marks of "infected" edges, the proposed scheme removes
most of the DDoS traffic while affecting legitimate traffic only slightly.
Simulation results based on real-world network topologies all demonstrate
that the proposed technique can improve the throughput of legitimate traffic
by 3 to 7 times during DDoS attacks.
Sponsor
Date
2002
Extent
402097 bytes
Resource Type
Text
Resource Subtype
Technical Report