1 / 10

Packet-Marking Scheme for DDoS Attack Prevention

Packet-Marking Scheme for DDoS Attack Prevention. K. Stefanidis and D. N. Serpanos University of Patras. Introduction. DDoS attacks thrive… Detection works most of the times They cannot be stopped because the sources of the attack are hard to find

garykthomas
Download Presentation

Packet-Marking Scheme for DDoS Attack Prevention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Packet-Marking Scheme for DDoS Attack Prevention K. Stefanidis and D. N. Serpanos University of Patras

  2. Introduction • DDoS attacks thrive… • Detection works most of the times • They cannot be stopped because the sources of the attack are hard to find • Unlike most hacking attempts, no response from the victim is required • Thus, the source IP address of the attack packets is almost always spoofed • Proposed Solutions • Ingress filtering • Logging • Link testing • Packet Marking

  3. We need to find a way to filter the packets that are part of a DDoS attack Note: Source IP address can be spoofed We need to find a way to distinguish legitimate from attack packets No additional information except from the packet’s contents should be required No additional packets should be required Attacker may generate any packet Attacker knows that he is being traced Attacker knows the traceback scheme Routing is stable most of the time Routers are not compromised Routers are CPU and Memory limited Goals and Assumptions

  4. Marking Scheme - Overview • Packets are marked by all the routers along their path • Upon arrival, packets carry a distinct mark that denotes their path • A path and a distance field compose the mark • Routers <XOR> part of their IP address with existing path field • They also increase distance field by one

  5. Marking Procedure • We overload part of the fragmentation fields of the IP header • The first router along the path initializes the marking • The other routers inject their information • Scheme is robust against false markings

  6. Filtering and Traceback • Filtering • Detection/Filtering system can use packet markings instead of source IP address for real time filtering • Same markings denote same source network • What about different paths? • Traceback • Use the inverse marking procedure to trace the sources of those packets • Recursively “visit” upstream routers until you find a source • Requires a map of the upstream routers • Computational intensive – Can be done “post mortem”

  7. Analysis - Overheads • The marking procedure is simple and stateless • It produces no bandwidth overhead • The amount of information that has to be stored by the victim is limited • One 17bit marking per attack source • An updated map of upstream routers (< 10 MB)

  8. Analysis - Faults • No false negative probability is introduced • False positives exist • R is the number of edge routers • A is the number of attacking hosts • n is the number of bits of the marking

  9. Conclusions and Further Work • Identifying the true source of incoming packets is the key problem that has to be solved in order to effectively stop DDoS attacks • This marking scheme enables • Per packet filtering of attack packets • Effective traceback • Unlike existing marking schemes • It is robust against false markings • False positives do not rise as attacking hosts increase • No additional packets are required for filtering and traceback purposes

  10. Thank you… Any questions?

More Related