An On-line DDoS Attack Traceback and Mitigation System Based on Network Performance Monitoring
22 Apr 2008-Vol. 2, pp 1467-1472
TL;DR: The experimental results from NS-2 simulations show that the DDoS attacks are effectively mitigated by DATMS, which adopts on-line analysis instead of post-mortem analysis to reduce the trace time.
Abstract: In this paper, DDoS attack traceback and mitigation system (DATMS) is proposed to trace the DDoS attack sources based on network performance monitoring. By monitoring packet loss rate and packet arrival rate, the routers can be traced as near as attack sources on victim flows, called approximate attack entry nodes (AENs), can be traced as near as attack sources. DATMS adopts on-line analysis instead of post-mortem analysis to reduce the trace time. In addition, the packet filter controller which adapts to queue length is proposed to mitigate the DDoS attacks. Since it is extremely difficult to distinguish attack flows and victim flows on core routers, the proposed packet filter is very simple and has lower overhead. Finally, the experimental results from NS-2 simulations show that the DDoS attacks are effectively mitigated by DATMS.
Citations
More filters
15 Nov 2010
TL;DR: Both theoretical analysis and experimental results show that the AEB scheme can efficiently detect DDOS attacks with high accuracy and has significant better performance on distinguishing waves of legal traffic and flash crowds from low-rate DOS.
Abstract: Prior work has shown entropy-based DDOS detection is suitable for detecting low-rate DOS. A key challenge in this approach is to determine the most suitable threshold for detecting DDOS attacks accurately. To address this challenge, we propose an advanced entropy-based (AEB) scheme, which divides variable rate DDOS attacks into different fields and treats each field with different methods. Compared with prior entropy-based approaches, our scheme has significant better performance on distinguishing waves of legal traffic and flash crowds from low-rate DOS. We validate the effectiveness of our scheme by conducting extensive simulation in NS-2. Both theoretical analysis and experimental results show that our scheme can efficiently detect DDOS attacks with high accuracy.
52 citations
TL;DR: A systematic approach is followed to comprehensively review and categorize 275 works representing existing IP traceback literature, providing an in-depth analysis of different IP trace back approaches, their functional classes and the evaluation metrics.
37 citations
Dissertation•
01 Jan 2015
TL;DR: The water quality of the Mediterranean Sea has changed in recent years from being generally good to excellent, with the exception of the waters off the coast of Italy and the Black Sea, which have seen declining water quality in recent decades.
Abstract: ........................................................................................................................................... 2 Table of
10 citations
Cites background or result from "An On-line DDoS Attack Traceback an..."
...The authors believe that their approach provides a more flexible and effective way of marking packets compared to earlier solutions [3, 17, 74, 188, 216, 243]....
[...]
...Furthermore Su, Wu, Hsu and Kuo [216], introduced a trace-back and mitigation system based on network performance....
[...]
TL;DR: This paper has first identified the types of DoS and DDoS attack, then provided the solution for those attacks on the basis of attacker’s identification and used the concept of ISP and IANA to identify the actual attacker.
Abstract: DDoS attack is a form of DoS attack in which attacker uses authorized user IP address to attack on a particular victim. Of the two types of attack it falls in the active category. The main aim of the attacker is to jam the resources in order to deny services to the recipient. The attacker can use several strategies to achieve this goal, one of which is by flooding the network with bogus requests. The attack is distributed because the attacker is using multiple computers to launch the denial of service attack. In this paper we have first identified the types of DoS and DDoS attack. Then we have provided the solution for those attacks on the basis of attacker’s identification. Main focus of this paper is to identify the actual attacker, who has performed attack by sitting behind a forged System. For that purpose first we prevent IP forgery by using sender authentication process, then calculate TCP flow rate and from it we identify whether packets are normal packet or malicious packet. We detect attack on receiver proxy server by using entropy and normalize entropy calculation on receiver proxy server. If attack is detected then we drop packets, get their mark value and trace them back to the source. Finally we use the concept of ISP and IANA to identify the actual attacker. NS2 has been used to simulate the proposed methods. General Terms Normal packet: packets that are sand by authentic user, Attack packet: packets that are sand by attacker to perform attack on particular victim.
6 citations
01 Jan 2010
TL;DR: Simulation results show that the proposed Priority Queue-based scheme not only effectively decreases the flows of malicious packets from DDoS attacks with various packet rates, but also provides smooth and constant flows for packets sent by normal users.
Abstract: In this paper we focus on alleviating malicious traffic from DDoS attacks since many famous websites have been attacked by them and massive losses have been reported in recent years. We propose a Priority Queue-Based scheme to analyze the interval of the arrival times of incoming packets in order to distinguish malicious traffic from normal traffic and to take care of malicious attacks clogging the network. We use the network simulator, NS2, to assess the efficiency of the proposed scheme. Simulation results show that the proposed Priority Queue-based scheme not only effectively decreases the flows of malicious packets from DDoS attacks with various packet rates, but also provides smooth and constant flows for packets sent by normal users. Furthermore, our priority queue-based scheme performs much better than other schemes when the number of the DDoS nodes becomes large.
3 citations
References
More filters
01 Jan 1998
TL;DR: A simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point is discussed.
Abstract: Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.
1,596 citations
"An On-line DDoS Attack Traceback an..." refers background in this paper
...[10] proposed the ingress filtering which blocks packets with attack source IP addresses at ingress routers....
[...]
TL;DR: A general purpose traceback mechanism based on probabilistic packet marking in the network that allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs).
Abstract: This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back toward their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or “spoofed,” source addresses. In this paper, we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed “post mortem”—after an attack has completed. We present an implementation of this technology that is incrementally deployable, (mostly) backward compatible, and can be efficiently implemented using conventional technology.
725 citations
"An On-line DDoS Attack Traceback an..." refers background in this paper
...[7] proposed Probabilistic Packet Marking (PPM) to reduce the overhead in DM....
[...]
27 Aug 2001
TL;DR: This paper describes and evaluates route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention, and shows that DPF achieves proactiveness and scalability, and there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology.
Abstract: Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology.The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized---i.e., IP traceback---to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.
611 citations
Proceedings Article•
08 Dec 2000TL;DR: This work outlines a technique for tracing spoofed packets back to their actual source host without relying on the cooperation of intervening ISPs, and assumes that routes are largely symmetric, can be discovered, are fairly consistent, and the attacking packet stream arrives from a single source network.
Abstract: Most denial-of-service attacks are characterized by a flood of packets with random, apparently valid source addresses. These addresses are spoofed, created by a malicious program running on an unknown host, and carried by packets that bear no clues that could be used to determine their originating host. Identifying the source of such an attack requires tracing the packets back to the source hop by hop. Current approaches for tracing these attacks require the tedious continued attention and cooperation of each intermediate Internet Service Provider (ISP). This is not always easy given the world-wide scope of the Internet.We outline a technique for tracing spoofed packets back to their actual source host without relying on the cooperation of intervening ISPs. First, we map the paths from the victim to all possible networks. Next, we locate sources of network load, usually hosts or networks offering the UDP chargen service [5]. Finally, we work back through the tree, loading lines or router, observing changes in the rate of invading packets. These observations often allow us to eliminate all but a handful of networks that could be the source of the attacking packet stream. Our technique assumes that routes are largely symmetric, can be discovered, are fairly consistent, and the attacking packet stream arrives from a single source network.We have run some simple and single-blind tests on Lucent's intranet, where our technique usually works, with better chances during busier network time periods; in several tests, we were able to determine the specific network containing the attacker.An attacker who is aware of our technique can easily thwart it, either by covering his traces on the attacking host, initiating a "whack-a-mole" attack from several sources, or using many sources.
542 citations
Additional excerpts
...[6] proposed Deterministic Packet Marking (DPM)....
[...]