TRACK: A Novel Approach for Defending Against Distributed Denial-of-Service Attacks
作者: Randolph Marchany , Jung-Min Park , Ruiliang Chen
DOI:
关键词:
摘要: This paper presents a novel countermeasure against Distributed Denial-of-Service (DDoS) attacks that we call the rouTer poRt mArking and paCKet filtering (TRACK), which includes functions of both IP traceback packet filtering. TRACK is comprehensive solution composed two components: router port marking module module. The former scheme for latter utilizes information gathered from component. marks packets by probabilistically writing interface's number, locally unique 6-digit identifier, to it transmits. After collecting marked each in an attacking path, victim machine can use contained those trace attack back its source (i.e., solve "IP traceback" problem). In component, same are used filter malicious at upstream routers located direction towards attackers), thus effectively mitigating attacks. Because very little space required mark allows us include signature along with number within single packet's header. resulting advantage three fold: (1) significantly less need be collected compared previous schemes, (2) computation overhead process, (3) scalability: large attackers zombies) traced efficiently. uses interface instead entire as "atomic unit" filtering, accomplish these tasks much finer granularity, helps lower false positives. paper, also show supports gradual deployment .
参考文章(22)
Zhang Shu, Partha Dasgupta, Denying Denial-of-Service Attacks: A Router Based Solution. international conference on internet computing. pp. 301- 307 ,(2003)
Steve Romig, The OSU Flow-tools Package and CISCO NetFlow Logs usenix large installation systems administration conference. pp. 291- 304 ,(2000)
Steven Michael Bellovin, John Ioannidis, Implementing Pushback : Router-Based Defense Against DDoS Attacks network and distributed system security symposium. ,(2002) , 10.7916/D8R78MXV
D. Senie, P. Ferguson, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing RFC 2827-BCP 38. ,vol. 2267, pp. 1- 10 ,(1998)
Stefan Savage, David Wetherall, Anna Karlin, Tom Anderson, Practical network support for IP traceback acm special interest group on data communication. ,vol. 30, pp. 295- 306 ,(2000) , 10.1145/347057.347560
Minho Sung, Jun Xu, IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks IEEE Transactions on Parallel and Distributed Systems. ,vol. 14, pp. 861- 872 ,(2003) , 10.1109/TPDS.2003.1233709
Drew Dean, Matt Franklin, Adam Stubblefield, An algebraic approach to IP traceback ACM Transactions on Information and System Security. ,vol. 5, pp. 119- 137 ,(2002) , 10.1145/505586.505588
Cheng Jin, Haining Wang, Kang G. Shin, Hop-count filtering: an effective defense against spoofed DDoS traffic computer and communications security. pp. 30- 41 ,(2003) , 10.1145/948109.948116
R.K.C. Chang, Defending against flooding-based distributed denial-of-service attacks: a tutorial IEEE Communications Magazine. ,vol. 40, pp. 42- 51 ,(2002) , 10.1109/MCOM.2002.1039856
Kihong Park, Heejo Lee, On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack international conference on computer communications. ,vol. 1, pp. 338- 347 ,(2001) , 10.1109/INFCOM.2001.916716