An IP-traceback-based packet filtering scheme for eliminating DDoS attacks

被引：3

作者：

Wang, Yulong ^{[1
]}

Sun, Rui ^{[1
]}

机构：

[1] State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing

来源：

Journal of Networks | 2014年 / 9卷 / 04期

关键词：

DDoS attack; IP traceback; Packet filtering;

D O I：

10.4304/jnw.9.4.874-881

中图分类号：

学科分类号：

摘要：

Distributed Denial-of-Service (DDoS) is still an important security challenge for computer networks. Filterbased DDoS defense is considered as an effective approach, since it can defend against both victim-resourceconsumption attacks and link-congestion attacks. However, the high possibility of false positive and the huge consumption of router resources reduce the practicality of existing filter-based approaches. In order to solve this problem, we propose a new mechanism to efficiently eliminate the impact caused by DDoS attacks. We utilize the IP traceback results to obtain an attack graph that contains the candidate filtering routers. Taking the different filtering performance of the routers in the attack graph into consideration, we propose a filtering scheme to determine a small set of filtering routers that would increase filtering performance and reduce false positive. Simulation results based on real-world network topologies demonstrate that the proposed scheme can reduce the damage caused by DDoS attacks effectively and maintain the loss of normal traffic within an acceptable level. © 2014 ACADEMY PUBLISHER.

引用

页码：874 / 881

页数：7

共 23 条

[11]

Lee H., Kwon M., Hasker G., Perrig A., BASE: An incrementally deployable mechanism for viable IP spoofing prevention, Proc. of ASIACCS 2007, pp. 20-31, (2007)

[12]

Yaar A., Perrig A., Song D., SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks, IEEE Symposium on Security and Privacy, pp. 130-143, (2004)

[13]

Yau L., Liang, Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles, Proc. of the IEEE International Workshop on Quality of Service (IWQoS), pp. 35-44, (2002)

[14]

Savage S., Wetherall D., Karlin A., Anderson T., Practical Network Support for IP Traceback, Proc. of ACM SIGCOMM, pp. 295-396, (2000)

[15]

Yaar A., Perrig A., Song D.X., Pi: A path identification mechanism to defend against DDoS attack, IEEE Symposium on Security and Privacy, pp. 93-109, (2003)

[16]

Sung M., Xu J., IP Traceback-based Intelligent Packet Filtering: A Novel Technique for Defending Against Internet DDoS Attacks, IEEE Transactions on Parallel and Distributed Systems, 14, 9, pp. 861-872, (2003)

[17]

Seo D., Lee H., Perring A., PFS: Probabilistic Filter Scheduling Against Distributed Denial-of-Service Attacks, Proc. of the 2011 IEEE 36th Conference on Local Computer Networks, pp. 9-17, (2011)

[18]

Song D.X., Perring A., Advanced and authenticated marking schemes for IP traceback, Proc. of INFOCOM 2001, 2, pp. 878-886, (2001)

[19]

Genetic Algorithm

[20]

Cooperative association for internet data analysis

← 1 2 3 →