Abstract
In this paper, a DDoS defense scheme is proposed to deploy in routers serving as the default gateways of sub-networks. Each router is configured with the set of IP addresses belonging to monitored sub-networks. By monitoring two-way connections between the policed set of IP addresses and the rest of the Intemet, our approach can effectively identify malicious network flows constituting DDoS attacks, and consequently restrict attack traffics with rate-limiting techniques. Current source-end DDoS defense scheme cannot accurately distinguish between network congestion caused by a DDoS attack and that caused by regular events. Under some circumstances, both false positive and false negative can be high, and this reduces the effectiveness of the defense mechanism. To improve the effectiveness, new DDoS detection algorithms are presented in this paper to complement, rather than replace existing source-end DDoS defense systems. The design of the proposed detection algorithm is based on three essential characteristics of DDoS attacks: distribution, congestion, and continuity. With the three characteristics, the proposed detection algorithm significantly improves detection accuracy, and at the same time reduces both false positive and false negative against DDoS attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
MANAnet DDoS White Papers. http://www.cs3inc.com/mananet.html.
NetRanger Overview. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csidsl/csidsug/overview.htm.
NFR Network Intrusion Detection. http://www.nfs.com/products/NID/.
Chang, K. C. (2002). Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial. In IEEE Communications Magazine, volume 40, pages 42–51.
Dean, Drew, Franklin, Matt, and Stubblefield, Adam (2002). An Algebraic Approach to IP Traceback. ACM Transactions on Information and System Security, (2): 119–137.
Feinstein, L., Schnackenberg, D., Balupari, R., and Kindred, D. (2003). Statistical Approaches to DDoS Attack Detection and Response. In Proceedings of DARPA Information Survivability Conference and Exposition, volume 1, pages 303–314.
Ferguson, P. (1998). Network Ingress Filtering: Defending Denial of Service Attacks Which Employ IP Source Address Spoofing.
[Ioannidis and Bellovin, 2002] Ioannidis, J. and Bellovin, S. M. (2002). Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of Networks and Distributed System Security Symposium.
Juels, A. and Brainard, J. (1999). Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of Networks and Distributed System Security Symposium, pages 151–165.
Leiwo, J., Nikander, P., and Aura, T. (2000). Towards network denial of service resistant protocols. In Proceedings of 15th International Information Security Conference, pages 301–310.
[Mahajan et al., 2002] Mahajan, R., Bellovin, S., Floyd, S., Paxson, V., and Shenker, S. (2002). Controlling high bandwidth aggregates in the network. ACM Computer Communications Review, 32(3), pages 62–73.
Mann, G. R., Watson, D., Jahanian, F., and howell, P. (2000). Transport and Application Protocol Scrubbing. In Proceedings of INFOCOM, pages 1381–1390.
Mirkovic, J., Martin, J., and Reiher, P. (2002a). Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. Technical Report 020018, UCLA Technical.
Mirkovic, J., Prier, G., and Reiher, P. (2002b). Attacking DDoS at the Source. In Proceedings of International Conference on Network Protocols, pages 312–321.
Moore, D., Voelker, G., and Savage, S. (2001). Inferring internet denial-of-service activity. In Proceedings of 10th USENIX Security Symposium.
Park, K. and Lee, H. (2001). On the Effectiveness of Router-Based Packet Filtering for Distributed DoS Attack prevention in Power-Law Intemets. In Proceedings of ACM Sigcomm, pages 15–26.
Rizzo, Luigi (1997). Dummynet: a simple approach to the evaluation of network protocols. ACM Computer Communication Review.
Roesch, Martin (1999). Snort — Lightweight Intrusion Detection for Networks. In Proceedings of LISA '99: 13th Systems Administration Conference, pages 229–238.
Savage, Stefan, Wetherall, David, Karlin, Anna, and Aderson, Tom (2001). Network Support for IP Traceback. IEEE/ACM Transactions on Networking, (3):226–237.
Savage, Stefan, Wetherall, David, Karlin, Anna R., and Anderson, Tom (2000). Practical Network Support for IP Traceback. In Proceedings of SIGCOMM Conference, pages 295–306.
Shaprio, J. and Hardy, N. (2002). EROS: A principle-driven operating system from the ground up. IEEE Software, pages 26–33.
Song, Dawn and Perrig, Adrian (2001). Advanced and Authenticated Marking Schemes for IP Traceback. In Proceedings of IEEE INFOCOM Conference, pages 878–886.
Sung, M. and X, J. (2002). IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks. In Proceedings of International Conference on Network Protocols, pages 302–311.
T. Aura, P. Nikander and Leiwo, J. (2001). DOS-Resistant Authentication with Client Puzzles. Lecture Notes in Computer Science, 2133.
Wang, X. and Reiter, M. (2003). Defending Against Denial-of-Service Attacks with Puzzle Auctions. In Proceedings of IEEE Symposium on Security and Privacy, pages 78–92.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer Science+Business Media, Inc.
About this chapter
Cite this chapter
Lee, FY., Shieh, S., Shieh, JT., Wang, SH. (2005). A Source-End Defense System Against DDoS Attacks. In: Lee, D.T., Shieh, S.P., Tygar, J.D. (eds) Computer Security in the 21st Century. Springer, Boston, MA. https://doi.org/10.1007/0-387-24006-3_10
Download citation
DOI: https://doi.org/10.1007/0-387-24006-3_10
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-24005-3
Online ISBN: 978-0-387-24006-0
eBook Packages: Computer ScienceComputer Science (R0)