scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

TDFA: Traceback-Based Defense against DDoS Flooding Attacks

13 May 2014-pp 597-604
TL;DR: A Trace back-based Defense against DDoS Flooding Attacks (TDFA) approach, which consists of three main components: Detection, Trace back, and Traffic Control, is proposed to counter DDoS attacks.
Abstract: Distributed Denial of Service (DDoS) attacks are one of the challenging network security problems to address The existing defense mechanisms against DDoS attacks usually filter the attack traffic at the victim side The problem is exacerbated when there are spoofed IP addresses in the attack packets In this case, even if the attacking traffic can be filtered by the victim, the attacker may reach the goal of blocking the access to the victim by consuming the computing resources or by consuming a big portion of the bandwidth to the victim This paper proposes a Trace back-based Defense against DDoS Flooding Attacks (TDFA) approach to counter this problem TDFA consists of three main components: Detection, Trace back, and Traffic Control In this approach, the goal is to place the packet filtering as close to the attack source as possible In doing so, the traffic control component at the victim side aims to set up a limit on the packet forwarding rate to the victim This mechanism effectively reduces the rate of forwarding the attack packets and therefore improves the throughput of the legitimate traffic Our results based on real world data sets show that TDFA is effective to reduce the attack traffic and to defend the quality of service for the legitimate traffic
Citations
More filters
Journal ArticleDOI
TL;DR: In these data, Japanese cars have lower mileage than American cars; the coefficient on Japan contradicts the expectations and the equation explains 67% of the variation in gas mileage.

85 citations

Proceedings ArticleDOI
01 Jan 2018
TL;DR: The experimental results show that these algorithms can reduce the processing time while maintain the suitable accuracy rate, and the proposed algorithms with their detection architecture are implemented in the Software-Defined Networking (SDN) technology which has the flexibility and programmable abilities.
Abstract: Distributed Denial of Service (DDoS) attack is one of the most long-lasting problems in network security. Recently, although the DDoS attack mechanisms are widely understood, the problems are becoming more frequent due to the similarity between DDoS attack and normal traffic. In this work, we propose two approaches of DDoS attack detection which are based on the Self-Organizing Map (SOM). The proposed algorithms with their detection architecture are implemented in the Software-Defined Networking (SDN) technology which has the flexibility and programmable abilities. The SDN controller allows us to quickly perform complex classification and detection algorithm. By deploying a testbed environment, we successfully evaluate our proposed algorithms in terms of both accuracy and computational overhead. The experimental results show that these algorithms can reduce the processing time while maintain the suitable accuracy rate.

57 citations


Cites methods from "TDFA: Traceback-Based Defense again..."

  • ...For the testing experiments, many previous works [20]– [22] use the ”DDoS Attack 2007” dataset [23] for the attack traffic data and one of the ”CAIDA Anonymized Internet Traces Datasets” from 2008 to 2015 for the normal traffic data....

    [...]

Journal ArticleDOI
TL;DR: The extracted insights from various validated DNS DRDoS case studies lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DRDoS activities.

44 citations


Cites background from "TDFA: Traceback-Based Defense again..."

  • ...The majority focus on implementing new detection techniques to infer DDoS attacks [46–49], tracing-back the sources of attacks [50,51], investigating spoofed attacks [52] and visualizing attacks [53– 55]....

    [...]

Journal ArticleDOI
TL;DR: This work proposes a novel probabilistic packet marking scheme to infer forward paths from attacker sites to a victim site and enable the victim to delegate the defense to the upstream Internet Service Providers (ISPs).

26 citations

Journal ArticleDOI
30 Jan 2019
TL;DR: The current DDoS defense mechanisms, their strengths and weaknesses are discussed and a need for a continual study in developing defense mechanisms is discussed.
Abstract: Distributed denial of service (DDoS) attacks are a major threat to any network-based service provider. The ability of an attacker to harness the power of a lot of compromised devices to launch an attack makes it even more complex to handle. This complexity can increase even more when several attackers coordinate to launch an attack on one victim. Moreover, attackers these days do not need to be highly skilled to perpetrate an attack. Tools for orchestrating an attack can easily be found online and require little to no knowledge about attack scripts to initiate an attack. Studies have been done severally to develop defense mechanisms to detect and defend against DDoS attacks. As defense schemes are designed and developed, attackers are also on the move to evade these defense mechanisms and so there is a need for a continual study in developing defense mechanisms. This paper discusses the current DDoS defense mechanisms, their strengths and weaknesses.

24 citations

References
More filters
01 Jan 1998
TL;DR: A simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point is discussed.
Abstract: Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.

1,596 citations


"TDFA: Traceback-Based Defense again..." refers background in this paper

  • ...…address of the egress interface of the edge router; (ii) the network interface identifier (NI-ID), which is an identifier assigned to each interface of either the MAC address of a network interface on the edge router, or the VLAN ID of a virtual interface if the edge router uses VLAN interfaces;…...

    [...]

Journal ArticleDOI
01 Jul 2002
TL;DR: The design involves both a local mechanism for detecting and controlling an aggregate at a single router, and a cooperative pushback mechanism in which a router can ask upstream routers to control an aggregate.
Abstract: The current Internet infrastructure has very few built-in protection mechanisms, and is therefore vulnerable to attacks and failures. In particular, recent events have illustrated the Internet's vulnerability to both denial of service (DoS) attacks and flash crowds in which one or more links in the network (or servers at the edge of the network) become severely congested. In both DoS attacks and flash crowds the congestion is due neither to a single flow, nor to a general increase in traffic, but to a well-defined subset of the traffic --- an aggregate. This paper proposes mechanisms for detecting and controlling such high bandwidth aggregates. Our design involves both a local mechanism for detecting and controlling an aggregate at a single router, and a cooperative pushback mechanism in which a router can ask upstream routers to control an aggregate. While certainly not a panacea, these mechanisms could provide some needed relief from flash crowds and flooding-style DoS attacks. The presentation in this paper is a first step towards a more rigorous evaluation of these mechanisms.

808 citations


"TDFA: Traceback-Based Defense again..." refers background in this paper

  • ...In a situation when the attacker spoofs the source MAC address of the attack packets with several valid MAC addresses in the network, then DFM can infer the source of an attack up to the ingress interface of the attacker end edge router....

    [...]

Proceedings Article
14 Aug 2000
TL;DR: This system simplifies the work required to determine the ingress adjacency of a flood attack while bypassing any equipment which may be incapable of performing the necessary diagnostic functions.
Abstract: Finding the source of forged Internet Protocol (IP) datagrams in a large, high-speed network is difficult due to the design of the IP protocol and the lack of sufficient capability in most high-speed, high-capacity router implementations. Typically, not enough of the routers in such a network are capable of performing the packet forwarding diagnostics required for this. As a result, tracking-down the source of a flood-type denial-of-service (DoS) attack is usually difficult or impossible in these networks. CenterTrack is an overlay network, consisting of IP tunnels or other connections, that is used to selectively reroute interesting datagrams directly from edge routers to special tracking routers. The tracking routers, or associated sniffers, can easily determine the ingress edge router by observing from which tunnel the datagrams arrive. The datagrams can be examined, then dropped or forwarded to the appropriate egress point. This system simplifies the work required to determine the ingress adjacency of a flood attack while bypassing any equipment which may be incapable of performing the necessary diagnostic functions.

508 citations


"TDFA: Traceback-Based Defense again..." refers methods in this paper

  • ...The 60-bits identification data is divided into K fragments; therefore the mark contains M=60/K bits of the identification data and S=log2(K) bits are required to identify a fragment....

    [...]

Journal ArticleDOI
TL;DR: This article describes an extensible tool that uses lightweight static analysis to detect common security vulnerabilities (including buffer overflows and format string vulnerabilities).
Abstract: Most security attacks exploit instances of well-known classes of implementation flaws. Developers could detect and eliminate many of these flaws before deploying the software, yet these problems persist with disturbing frequency-not because the security community doesn't sufficiently understand them but because techniques for preventing them have not been integrated into the software development process. This article describes an extensible tool that uses lightweight static analysis to detect common security vulnerabilities (including buffer overflows and format string vulnerabilities).

507 citations


"TDFA: Traceback-Based Defense again..." refers background in this paper

  • ...In a situation when the attacker spoofs the source MAC address of the attack packets with several valid MAC addresses in the network, then DFM can infer the source of an attack up to the ingress interface of the attacker end edge router....

    [...]

  • ...When a packet of an unseen flow arrives at the destination node, the DFMD module extracts the marking information of this flow from the marked packets, identified by F flag....

    [...]

Proceedings ArticleDOI
09 May 2004
TL;DR: This paper presents SIFF, a Stateless Internet Flow Filter, which allows an end-host to selectively stop individual flows from reaching its network, without any of the common assumptions listed above.
Abstract: One of the fundamental limitations of the Internet is the inability of a packet flow recipient to halt disruptive flows before they consume the recipient's network link resources. Critical infrastructures and businesses alike are vulnerable to DoS attacks or flash-crowds that can incapacitate their networks with traffic floods. Unfortunately, current mechanisms require per-flow state at routers, ISP collaboration, or the deployment of an overlay infrastructure to defend against these events. In this paper, we present SIFF, a Stateless Internet Flow Filter, which allows an end-host to selectively stop individual flows from reaching its network, without any of the common assumptions listed above. We divide all network traffic into two classes, privileged (prioritized packets subject to recipient control) and unprivileged (legacy traffic). Privileged channels are established through a capability exchange handshake. Capabilities are dynamic and verified statelessly by the routers in the network, and can be revoked by quenching update messages to an offending host. SIFF is transparent to legacy clients and servers, but only updated hosts will enjoy the benefits of it.

405 citations


"TDFA: Traceback-Based Defense again..." refers background in this paper

  • ...In a situation when the attacker spoofs the source MAC address of the attack packets with several valid MAC addresses in the network, then DFM can infer the source of an attack up to the ingress interface of the attacker end edge router....

    [...]

  • ...When a packet of an unseen flow arrives at the destination node, the DFMD module extracts the marking information of this flow from the marked packets, identified by F flag....

    [...]