An IP-traceback-based packet filtering scheme for eliminating DDoS attacks

被引:3
作者
Wang, Yulong [1 ]
Sun, Rui [1 ]
机构
[1] State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing
关键词
DDoS attack; IP traceback; Packet filtering;
D O I
10.4304/jnw.9.4.874-881
中图分类号
学科分类号
摘要
Distributed Denial-of-Service (DDoS) is still an important security challenge for computer networks. Filterbased DDoS defense is considered as an effective approach, since it can defend against both victim-resourceconsumption attacks and link-congestion attacks. However, the high possibility of false positive and the huge consumption of router resources reduce the practicality of existing filter-based approaches. In order to solve this problem, we propose a new mechanism to efficiently eliminate the impact caused by DDoS attacks. We utilize the IP traceback results to obtain an attack graph that contains the candidate filtering routers. Taking the different filtering performance of the routers in the attack graph into consideration, we propose a filtering scheme to determine a small set of filtering routers that would increase filtering performance and reduce false positive. Simulation results based on real-world network topologies demonstrate that the proposed scheme can reduce the damage caused by DDoS attacks effectively and maintain the loss of normal traffic within an acceptable level. © 2014 ACADEMY PUBLISHER.
引用
收藏
页码:874 / 881
页数:7
相关论文
共 23 条
[1]  
Kan M., Major DDoS attacks. cn domain
[2]  
disrupts Internet in China
[3]  
Government websites hit by new DDoS attack
[4]  
Peng T., Leckie C., Ramamohanarao K., Survey of network-based defense mechanisms countering the DoS and DDoS problems, ACM Comput. Surv, 39, 1, (2007)
[5]  
Lee J., de Veciana G., Scalable network-layer defense against internet bandwidth flooding attacks, IEEE/ACM Trans. Netw, 17, 4, pp. 1284-1297, (2007)
[6]  
Lee J., de Veciana G., Scalable multicast based filtering and tracing framework for defeating distributed DoS attack, International Journal Of Network Management, 14, (2004)
[7]  
Argyraki K.J., Cheriton D.R., Active internet traffic filtering: Realtime response to denial-of-service attacks, USENIX Annual Technical Conference, General Track, pp. 135-148, (2005)
[8]  
Lee H., On the effectiveness of route-based packet filtering for distributed DoS attack prevention in powerlaw internets, Computer Communication Review, 31, 4, pp. 15-26, (2001)
[9]  
Park K., Lee H., On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Proc. of SIGCOMM 2001, pp. 15-26, (2001)
[10]  
Li J., Mirkovic J., Wang M., SAVE: Source Address Validity Enforcement Protocol, Proc. of INFOCOM, pp. 1557-1566, (2002)