Skip to main content
SpringerLink
Log in
Book cover

Innovations and Advanced Techniques in Computer and Information Sciences and Engineering pp 537–541Cite as

ITS: A DDoS Mitigating Architecture

  • Conference paper

  • 1404 Accesses

Abstract

We propose a DDoS mitigation architecture that protects legitimate traffic from the large volume of malicious packets during a DDoS bandwidth attack. The system keeps a legitimacy list and gives higher priority to those packets that are on the list. The legitimacy list is kept up to date by keeping only the entries that complete the TCP three-way handshake and thus defeats IP spoofing. Entries in the list contain the IP address and the path signature of active TCP connections. A packet obtains high priority if its path signature strongly correlates with the corresponding path signature stored in the legitimacy list. We show that the scheme is efficient when deployed incrementally by using priority queuing at perimeter routers. An autonomous system (AS) can immediately benefit from our proposed system when deployed even if other ASs do not deploy it.

Keywords

  • Path Signature
  • Intermediate Router
  • Attack Packet
  • Legitimate Client
  • Legitimate Traffic

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   129.00
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   169.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   169.99
Price excludes VAT (Canada)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. T. Anderson, T. Roscoe, and D. Wetherall. Preventing internet denial of service with capabilities. SIGCOMM Comput. Commun. Rev., 34(1):39–44, 2004.

    CrossRef  Google Scholar 

  2. Configuring TCP Intercept, Cisco IOS Security Configuration Guide http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur c/.

    Google Scholar 

  3. Michael Collins and Michael K. Reiter. An empirical analysis of targetresident DoS filters. In IEEE Symp. on Secur. and Priv., 2004.

    Google Scholar 

  4. D. Dean, M. Franklin, and A. Stubblefield. An algebraic approach to IP traceback. ACM Trans. Inf. Syst. Secur., 5(2):119–137, 2002.

    CrossRef  Google Scholar 

  5. Hikmat Farhat. Protecting TCP services from denial of service attacks. In LSAD ’06: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, pages 155–160, 2006.

    Google Scholar 

  6. P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827, 2000.

    Google Scholar 

  7. C. Jin, H. Wang, and K. G. Shin. Hop-count filtering: an effective defense against spoofed DDoS traffic. In 10th ACM Conference on Computer and Communications security, pages 30–41, 2003.

    Google Scholar 

  8. J. Jung, B. Krishnamurthy, and M. Rabinovich. Flash crowds and denial of service attacks: characterization and implications for cdns and web sites. In 11th international conference on World Wide Web, pages 293–304, 2002.

    Google Scholar 

  9. J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. Save: source address validity enforcement protocol. In Proceedings of IEEE INFOCOMM, 2001.

    Google Scholar 

  10. D. Moore, G. Voelker, and S. Savage. Inferring internet denial of service activity. In Proceedings of the 10 th USENIX Security Symposium, 2001.

    Google Scholar 

  11. K. Park and H. Lee. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In SIGCOMM ’01:Proceedings of the 2001 SIGCOMM conference, pages 15–26, 2001.

    Google Scholar 

  12. S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Network support for IP traceback. IEEE/ACM Trans. Netw., 9(3):226–237, 2001.

    CrossRef  Google Scholar 

  13. CAIDA’s skitter initiative, http://www.caida.org.

    Google Scholar 

  14. A. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, and W. T. Strayer. Single-packet IP traceback. IEEE/ACM Trans. Netw., 10(6):721–734, 2002.

    Google Scholar 

  15. D. Song and A. Perrig. Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE INFOCOMM., 2001.

    Google Scholar 

  16. M. Sung and J. Xu. IP traceback-based intelligent packet filtering: In the 10 th IEEE International Conference on Network Protocols, 2002.

    Google Scholar 

  17. D.J. Bernstein, http://cr.yp.com/syncookies.html.

    Google Scholar 

  18. Haining Wang, Danlu Zhang, and Kang G. Shin. Change-point monitoring for the detection of DoS attacks. IEEE Trans. Dep. Sec. Comput., 2004.

    Google Scholar 

  19. Y. Xiang, Y. Lin, W. L. Lei, and S.J. Huang. Detecting DDoS attack based on network self-similarity. In Communications,2004.

    Google Scholar 

  20. J. Xu and W. Lee. Sustaining availability of web services under distributed denial of service attacks. IEEE Trans. Comput., 52(2):195–208, 2003.

    CrossRef  Google Scholar 

  21. A. Yaar, A. Perrig, and D. Song. Pi: a path identification mechanism to defend against DDoS attacks. In IEEE Symp. on Secur. and Priv.., 2003.

    Google Scholar 

  22. A. Yaar, A. Perrig, and D. Song. SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks. InIEEE Symp. on Secur. and Priv., 2004.

    Google Scholar 

  23. A. Yaar, A. Perrig, and D. Song. FIT: Fast Internet traceback. In Proceedings of IEEE INFOCOMM, 2005.

    Google Scholar 

  24. K. Argyraki and D. Cheriton. Network Capabilities: The good, the bad and the ugly. In HotNets-IV: The Fourth Workshop on Host Topics in Networks, 2005.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Notre Dame University, Lebanon

    Hikmat Farhat

Authors
  1. Hikmat Farhat
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Bridgeport, CT, USA

    Tarek Sobh

Rights and permissions

Reprints and Permissions

Copyright information

© 2007 Springer

About this paper

Cite this paper

Farhat, H. (2007). ITS: A DDoS Mitigating Architecture. In: Sobh, T. (eds) Innovations and Advanced Techniques in Computer and Information Sciences and Engineering. Springer, Dordrecht. https://doi.org/10.1007/978-1-4020-6268-1_94

Download citation

  • DOI: https://doi.org/10.1007/978-1-4020-6268-1_94

  • Publisher Name: Springer, Dordrecht

  • Print ISBN: 978-1-4020-6267-4

  • Online ISBN: 978-1-4020-6268-1

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

search

Navigation