Skip to main content
Log in

Study of detection method for spoofed IP against DDoS attacks

  • Original Article
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

Abstract

Cybercriminals are learning to harness the power of simpler devices like connected cameras. In September of 2016, Mirai software was used to infect more than 100,000 devices and unleash one of the largest distributed denial-of-service (DDoS) attacks up to that time. After this incident, many people identified multiple large attacks coming from Internet of Things (IoT) devices, like CCTV cameras, and described these attacks as a new trend. A technique to detect whether a signal source is counterfeited in the initial stage of a DDoS attack is important. This paper proposes a method for the quick detection of a spoofed Internet protocol (IP) during a DDoS attack based on a DDoS shelter that is established to defend against DDoS attacks. In order to achieve this goal, we evaluate the number of time-to-live hops in normal traffic as a reference for the bandwidth of each network that is accessible to the DDoS shelter. In this study, we conduct an experiment using cases of actual DDoS attacks. As a result of this experiment, we prove that our proposed method quickly detects a spoofed IP.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Xu T, Wendt JB, Potkonjak M (2014) Security of IoT systems: design challenges and opportunities. In: Proceedings of the 2014 IEEE/ACM international conference on computer-aided design (ICCAD ’14), pp 417–423

  2. Hee KN (2014) Standard technology trends for internet security of things. J Korean Inst Commun Sci 31 (9):40–45

    Google Scholar 

  3. Peng T, Leckie C, Ramamohanarao K (2007) Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput Surv (CSUR) 39(1):1–42

    Article  Google Scholar 

  4. Ryba FJ, Orlinski M, Wählisch M, Rossow C, Schmidt TC (2015) Amplification and DRDoS attack defense—a survey and new perspectives. arXiv preprint, arXiv:1505.07892, pp 1–26

  5. Saboor A, Aslam B (2015) Analyses of flow based techniques to detect distributed denial of service attacks. In: Proceedings of applied sciences and technology, pp 354–362

  6. Hong S (2015) Efficient and secure DNS cyber shelter on DDoS attacks. J Comput Virol Hack Tech 11 (3):129–136

    Article  Google Scholar 

  7. Default TTL Values in TCP/IP, http://www.map.meteoswiss.ch/map-doc/ftp-probleme.htm. to appear in 2017

  8. Seo JW, Lee SJ (2015) A study on the detection of DDoS attack using the IP Spoofing. J Korea Inst Inf Secur Crytol 25(1):147–153

    Google Scholar 

  9. Raw Sockets, http://msdn.microsoft.com/en-us/library/windows/desktop/ms740463(v=vs.85).aspx, to appear 2017

  10. Manusankar C, Karthik S, Rajendran T (2010) Intrusion detection system with packet filtering for IP spoofing. In: Communication and computational intelligence (INCOCCI), pp 563–567

  11. Al-Duwair B, Daniels TE (2004) Topology based packet marking. In: Proceedings of the 13th international conference on computer communications and networks (ICCCN), pp 146–151

  12. Li L, Shen SB (2008) Packet track and traceback mechanism against denial of service attacks. J China Univ Posts Telecommun 15(3):51–58

    Article  Google Scholar 

  13. Chang NB, Liu M (2007) Controlled flooding search in a large network. IEEE/ACM Trans Netw 15 (2):436–449

    Article  Google Scholar 

  14. Wan Z, Zhang Y, Cao T (2009) A novel authenticated packet marking scheme for IP trace-back. In: Proceedings of 2nd IEEE international conference computer science and information technology (ICCSIT 2009), pp 150–153

  15. Bremler-Barr A, Levy H (2005) Spoofing prevention method. In: Proceedings of IEEE INFOCOM, vol 1, pp 536–547

  16. Yaar A, Perrig A, Song D (2006) StackPi: new packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE J Sel Areas Commun 24(10):1853–1863

    Article  Google Scholar 

  17. Vaidyanathan R, Sawaya GA (2012) On the use of enhanced bogon lists (EBLs) to detect malicious traffic. In: Computing networking and communications (ICNC), pp 1–6

  18. White Paper (2005) Unicast reverse path forwarding enhancements for the Internet service provider—Internet service provider network edge. Cisco Systems, Inc., pp 1–19

  19. Cisco IOS Security Configuration Guide (2014) Cisco IOS Security Configuration Guide, Configuring TCP Intercept (preventing denial-of-service attacks). Cisco IOS Release 15M&T, pp 1–18

  20. Wang H, Jin C, Shi KG (2007) Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans Netw 15(1):40–53

    Article  Google Scholar 

  21. Smart M, Malan GR, Jahanian F (2000) Defeating TCP/IP stack fingerprinting. In: Proceedings of the 9th USENIX security symposium, pp 1–11

  22. Hainging W, Cheng J, Kang S (2007) Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans Netw 15(1):40–53

    Article  Google Scholar 

  23. Nameserver DoS Attack Report, http://www.caida.org/projects/dns/dns-root-gtld/status.xml (2002)

  24. NMS Project Quarterly Report, http://www.caida.org/funding/nms/reports/quarterly_0901.xml (2004)

  25. Fomenkov M, Claffy KC, Huffaker B, Moore D (2001) Macroscopic Internet topology and performance measurements from the DNS root name servers. In: LISA 2001, pp 231–240

  26. Anshu S, Monika S (2015) Analysis and implementation of BRO IDS using signature script. In: Soft computing techniques and implementations, pp 57–60

  27. p0f v3: passive fingerprinter, http://lcamtuf.coredump.cx/p0f3/README, to appear 2017

  28. Korea Internet White Paper (2011) Korea Internet & Security Agency, pp 142–142

Download references

Funding

This work was supported under the framework of the international cooperation program managed by the National Research Foundation of Korea (2016K2A9A2A05005255).

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Nam-Kyun Baik or Cheonshik Kim.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lee, YJ., Baik, NK., Kim, C. et al. Study of detection method for spoofed IP against DDoS attacks. Pers Ubiquit Comput 22, 35–44 (2018). https://doi.org/10.1007/s00779-017-1097-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-017-1097-y

Keywords

Navigation