A Source-End Defense System Against DDoS Attacks

  • Fu-Yuan Lee
  • Shiuhpyng Shieh
  • Jui-Ting Shieh
  • Sheng-Hsuan Wang


In this paper, a DDoS defense scheme is proposed to deploy in routers serving as the default gateways of sub-networks. Each router is configured with the set of IP addresses belonging to monitored sub-networks. By monitoring two-way connections between the policed set of IP addresses and the rest of the Intemet, our approach can effectively identify malicious network flows constituting DDoS attacks, and consequently restrict attack traffics with rate-limiting techniques. Current source-end DDoS defense scheme cannot accurately distinguish between network congestion caused by a DDoS attack and that caused by regular events. Under some circumstances, both false positive and false negative can be high, and this reduces the effectiveness of the defense mechanism. To improve the effectiveness, new DDoS detection algorithms are presented in this paper to complement, rather than replace existing source-end DDoS defense systems. The design of the proposed detection algorithm is based on three essential characteristics of DDoS attacks: distribution, congestion, and continuity. With the three characteristics, the proposed detection algorithm significantly improves detection accuracy, and at the same time reduces both false positive and false negative against DDoS attacks.


information warfare DoS/DDoS attacks source-end defense 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [man, ]
    MANAnet DDoS White Papers. Scholar
  2. [Net, ]
    NetRanger Overview. Scholar
  3. [NFR, ]
    NFR Network Intrusion Detection. Scholar
  4. [Chang, 2002]
    Chang, K. C. (2002). Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial. In IEEE Communications Magazine, volume 40, pages 42–51.CrossRefGoogle Scholar
  5. [Dean et al., 2002]
    Dean, Drew, Franklin, Matt, and Stubblefield, Adam (2002). An Algebraic Approach to IP Traceback. ACM Transactions on Information and System Security, (2): 119–137.CrossRefGoogle Scholar
  6. [Feinstein et al., 2003]
    Feinstein, L., Schnackenberg, D., Balupari, R., and Kindred, D. (2003). Statistical Approaches to DDoS Attack Detection and Response. In Proceedings of DARPA Information Survivability Conference and Exposition, volume 1, pages 303–314.CrossRefGoogle Scholar
  7. [Ferguson, 1998]
    Ferguson, P. (1998). Network Ingress Filtering: Defending Denial of Service Attacks Which Employ IP Source Address Spoofing.Google Scholar
  8. [Ioannidis and Bellovin, 2002] Ioannidis, J. and Bellovin, S. M. (2002). Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of Networks and Distributed System Security Symposium.Google Scholar
  9. [Juels and Brainard, 1999]
    Juels, A. and Brainard, J. (1999). Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of Networks and Distributed System Security Symposium, pages 151–165.Google Scholar
  10. [Leiwo et al., 2000]
    Leiwo, J., Nikander, P., and Aura, T. (2000). Towards network denial of service resistant protocols. In Proceedings of 15th International Information Security Conference, pages 301–310.Google Scholar
  11. [Mahajan et al., 2002] Mahajan, R., Bellovin, S., Floyd, S., Paxson, V., and Shenker, S. (2002). Controlling high bandwidth aggregates in the network. ACM Computer Communications Review, 32(3), pages 62–73.CrossRefGoogle Scholar
  12. [Mann et al., 2000]
    Mann, G. R., Watson, D., Jahanian, F., and howell, P. (2000). Transport and Application Protocol Scrubbing. In Proceedings of INFOCOM, pages 1381–1390.Google Scholar
  13. [Mirkovic et al., 2002a]
    Mirkovic, J., Martin, J., and Reiher, P. (2002a). Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. Technical Report 020018, UCLA Technical.Google Scholar
  14. [Mirkovic et al., 2002b]
    Mirkovic, J., Prier, G., and Reiher, P. (2002b). Attacking DDoS at the Source. In Proceedings of International Conference on Network Protocols, pages 312–321.Google Scholar
  15. [Moore et al., 2001]
    Moore, D., Voelker, G., and Savage, S. (2001). Inferring internet denial-of-service activity. In Proceedings of 10th USENIX Security Symposium.Google Scholar
  16. [Park and Lee, 2001]
    Park, K. and Lee, H. (2001). On the Effectiveness of Router-Based Packet Filtering for Distributed DoS Attack prevention in Power-Law Intemets. In Proceedings of ACM Sigcomm, pages 15–26.Google Scholar
  17. [Rizzo, 1997]
    Rizzo, Luigi (1997). Dummynet: a simple approach to the evaluation of network protocols. ACM Computer Communication Review.Google Scholar
  18. [Roesch, 1999]
    Roesch, Martin (1999). Snort — Lightweight Intrusion Detection for Networks. In Proceedings of LISA '99: 13th Systems Administration Conference, pages 229–238.Google Scholar
  19. [Savage et al., 2001]
    Savage, Stefan, Wetherall, David, Karlin, Anna, and Aderson, Tom (2001). Network Support for IP Traceback. IEEE/ACM Transactions on Networking, (3):226–237.CrossRefGoogle Scholar
  20. [Savage et al., 2000]
    Savage, Stefan, Wetherall, David, Karlin, Anna R., and Anderson, Tom (2000). Practical Network Support for IP Traceback. In Proceedings of SIGCOMM Conference, pages 295–306.Google Scholar
  21. [Shaprio and Hardy, 2002]
    Shaprio, J. and Hardy, N. (2002). EROS: A principle-driven operating system from the ground up. IEEE Software, pages 26–33.Google Scholar
  22. [Song and Perrig, 2001]
    Song, Dawn and Perrig, Adrian (2001). Advanced and Authenticated Marking Schemes for IP Traceback. In Proceedings of IEEE INFOCOM Conference, pages 878–886.Google Scholar
  23. [Sung and X, 2002]
    Sung, M. and X, J. (2002). IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks. In Proceedings of International Conference on Network Protocols, pages 302–311.Google Scholar
  24. [T. Aura and Leiwo, 2001]
    T. Aura, P. Nikander and Leiwo, J. (2001). DOS-Resistant Authentication with Client Puzzles. Lecture Notes in Computer Science, 2133.Google Scholar
  25. [Wang and Reiter, 2003]
    Wang, X. and Reiter, M. (2003). Defending Against Denial-of-Service Attacks with Puzzle Auctions. In Proceedings of IEEE Symposium on Security and Privacy, pages 78–92.Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2005

Authors and Affiliations

  • Fu-Yuan Lee
    • 1
  • Shiuhpyng Shieh
    • 1
  • Jui-Ting Shieh
    • 1
  • Sheng-Hsuan Wang
    • 1
  1. 1.Department of Computer Science and Information EngineeringNational Chiao Tung UniversityHsinchuTaiwan

Personalised recommendations