ROUTER BASED MECHANISM FOR MITIGATION OF DDoS ATTACK- A SURVEY
01 Jul 2014-International Journal of Computer Applications Technology and Research-Vol. 3, Iss: 7, pp 420-426
TL;DR: This paper focuses on Distributed Denial of Service attack, surveys, classification and also proposed mitigation techniques revealed in literature by various researchers.
Abstract: Today most of the activities like trade, e-commerce are dependent on the availability of Internet. The growing use of internet services in the past few years have facilitated increase in distributed denial of service attack. Due to DDos attacks, caused by malicious hosts secured data communication over the internet is very difficult to achieve and is the need of the hour. DDos attacks are one of the most widely spread problems faced by most of the internet service providers (ISP’s). The work which had already been done was in the direction of detection, prevention and trace-back of DDos attack. Mitigation of these attacks has also gained an utmost importance in the present scenario. A number of techniques have been proposed by various researchers but those techniques produce high collateral Damage so more efforts are needed to be done in the area of mitigation of DDos attacks. This paper focuses on Distributed Denial of Service attack, surveys, classification and also proposed mitigation techniques revealed in literature by various researchers.
References
More filters
01 Jan 2002
TL;DR: This paper presents an architecture for Pushback, its implementation under FreeBSD, and suggestions for how such a system can be implemented in core routers.
Abstract: Pushback is a mechanism for defending against distributed denial-of-service (DDoS) attacks. DDoS attacks are treated as a congestion-control problem, but because most such congestion is caused by malicious hosts not obeying traditional end-to-end congestion control, the problem must be handled by the routers. Functionality is added to each router to detect and preferentially drop packets that probably belong to an attack. Upstream routers are also notified to drop such packets (hence the term Pushback ) in order that the router’s resources be used to route legitimate traffic. In this paper we present an architecture for Pushback, its implementation under FreeBSD, and suggestions for how such a system can be implemented in core routers.
602 citations
11 May 2003
TL;DR: Pi (short for path identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing.
Abstract: Distributed denial of service (DDoS) attacks continue to plague the Internet Defense against these attacks is complicated by spoofed source IP addresses, which make it difficult to determine a packet's true origin We propose Pi (short for path identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing Pi features many unique properties It is a per-packet deterministic mechanism: each packet traveling along the same path carries the same identifier This allows the victim to take a proactive role in defending against a DDoS attack by using the Pi mark to filter out packets matching the attackers' identifiers on a per packet basis The Pi scheme performs well under large-scale DDoS attacks consisting of thousands of attackers, and is effective even when only half the routers in the Internet participate in packet marking Pi marking and filtering are both extremely lightweight and require negligible state We use traceroute maps of real Internet topologies (eg CAIDA's Skitter (2000) and Burch and Cheswick's Internet Map (1999, 2002)) to simulate DDoS attacks and validate our design
446 citations
TL;DR: This paper proposes two perimeter-based defense mechanisms for Internet service providers (ISPs) to provide the antiDDoS service to their customers and demonstrates analytically and by simulations that the proposed defense mechanisms react quickly in blocking attack traffic while achieving high survival ratio for legitimate traffic.
Abstract: Distributed denial of service (DDoS) is a major threat to the availability of Internet services. The anonymity allowed by IP networking, together with the distributed, large scale nature of the Internet, makes DDoS attacks stealthy and difficult to counter. To make the problem worse, attack traffic is often indistinguishable from normal traffic. As various attack tools become widely available and require minimum knowledge to operate, automated antiDDoS systems become increasingly important. Many current solutions are either excessively expensive or require universal deployment across many administrative domains. This paper proposes two perimeter-based defense mechanisms for Internet service providers (ISPs) to provide the antiDDoS service to their customers. These mechanisms rely completely on the edge routers to cooperatively identify the flooding sources and establish rate-limit filters to block the attack traffic. The system does not require any support from routers outside or inside of the ISP, which not only makes it locally deployable, but also avoids the stress on the ISP core routers. We also study a new problem of perimeter-based IP traceback and provide three solutions. We demonstrate analytically and by simulations that the proposed defense mechanisms react quickly in blocking attack traffic while achieving high survival ratio for legitimate traffic. Even when 40 percent of all customer networks attack, the survival ratio for traffic from the other customer networks is still close to 100 percent.
93 citations
31 Oct 2005
TL;DR: An extension to AD is proposed called parallel attack diagnosis (PAD), a novel attack mitigation scheme that combines the concepts of Pushback and packet marking that is capable of throttling traffic coming from a large number of attack sources simultaneously.
Abstract: Attack mitigation schemes actively throttle attack traffic generated in distributed denial-of-service (DDoS) attacks. This paper presents attack diagnosis (AD), a novel attack mitigation scheme that combines the concepts of Pushback and packet marking. AD's architecture is inline with the ideal DDoS attack countermeasure paradigm, in which attack detection is performed near the victim host and attack mitigation is executed close to the attack sources. AD is a reactive defense that is activated by a victim host after an attack has been detected. A victim activates AD by sending AD-related commands to its upstream routers. On receipt of such commands, the AD-enabled upstream routers deterministically mark each packet destined for the victim with the information of the input interface that processed that packet. By collecting the router interface information recorded in the packet markings, the victim can trace back the attack traffic to the attack sources. Once the traceback is complete, the victim issues messages that command AD-enabled routers to filter attack packets close to the source. The AD commands can be authenticated by the TTL field of the IP header without relying on any global key distribution infrastructure in Internet. Although AD can effectively filter traffic generated by a moderate number of attack sources, it is not effective against large-scale attacks. To address this problem, we propose an extension to AD called parallel attack diagnosis (PAD) that is capable of throttling traffic coming from a large number of attack sources simultaneously. AD and PAD are analyzed and evaluated using a realistic network topology based on the Skitter Internet map. Both schemes are shown to be robust against IP spoofing and incur low false positive ratios.
29 citations
01 Dec 2010
TL;DR: A new client puzzle approach to prevent Denial of Service (DoS) attacks in ad hoc networks by combining computational problems with puzzles, which improves the efficiency and latency of the communicating nodes and resistance in DoS attacks.
Abstract: In this paper we propose a new client puzzle approach to prevent Denial of Service (DoS) attacks in ad hoc networks. Each node in the network first solves a computational problem and with the solution has to create and solve a client puzzle. By combining computational problems with puzzles, we improve the efficiency and latency of the communicating nodes and resistance in DoS attacks. Experimental results show the effectiveness of our approach.
26 citations