|
| This Article | ||
| ||
| Share | ||
| Bibliographic References | ||
| Add to: | ||
 Digg  Furl  Spurl  Blink  Simpy  Google  Del.icio.us  Y!MyWeb | ||
| Search | ||
| ||
2009 Ninth IEEE International Conference on Computer and Information Technology
A Hash-Based Path Identification Scheme for DDoS Attacks Defense
Xiamen, China
October 11-October 14
ISBN: 978-0-7695-3836-5
| ASCII Text | x | ||
| Guang Jin, Fei Zhang, Yuan Li, Honghao Zhang, Jiangbo Qian, "A Hash-Based Path Identification Scheme for DDoS Attacks Defense," Computer and Information Technology, International Conference on, vol. 2, pp. 219-224, 2009 Ninth IEEE International Conference on Computer and Information Technology, 2009. | |||
| BibTex | x | ||
| @article{ 10.1109/CIT.2009.47, author = {Guang Jin and Fei Zhang and Yuan Li and Honghao Zhang and Jiangbo Qian}, title = {A Hash-Based Path Identification Scheme for DDoS Attacks Defense}, journal ={Computer and Information Technology, International Conference on}, volume = {2}, year = {2009}, isbn = {978-0-7695-3836-5}, pages = {219-224}, doi = {http://doi.ieeecomputersociety.org/10.1109/CIT.2009.47}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, } | |||
| RefWorks Procite/RefMan/Endnote | x | ||
| TY - CONF JO - Computer and Information Technology, International Conference on TI - A Hash-Based Path Identification Scheme for DDoS Attacks Defense SN - 978-0-7695-3836-5 SP219 EP224 A1 - Guang Jin, A1 - Fei Zhang, A1 - Yuan Li, A1 - Honghao Zhang, A1 - Jiangbo Qian, PY - 2009 KW - Internet security KW - Distributed Denial of Service KW - Packet marking KW - Hash KW - Hop count VL - 2 JA - Computer and Information Technology, International Conference on ER - | |||
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CIT.2009.47
Distributed Denial of Service (DDoS) attacks pose a major threat to today’s cyber security. Defense against these attacks is complicated by source IP address spoofing, which is exploited by attackers to conceal source IP addresses and localities of malicious traffic. In this paper, we propose HPi (Hash-based Path Identification), a novel packet marking scheme to defeat DDoS attacks regardless of forged IP addresses. Our scheme makes full use of a packet’s 16-bit IP Identification field to generate a unique identifier corresponding to a path the packet traverses. Each router along the path hashes the last 16 bits of its IP address into the IP Identification field. Thus the victim can identify every single received packet as legitimate or malicious on a per packet basis with high accuracy. And we develop different filtering strategies for victim servers with different capabilities. We also propose a new packet filtering mechanism, the HPi2HC filter, for the victim to distinguish between legitimate and malicious packets more accurately based on tuple of each packet. Simulation results show that the performance of our scheme is still quite promising even when only half of the routers in the network participate in packet marking. The HPi scheme is also lightweight, supporting incremental deployment, and is robust against randomly initial values in IP Identification field forged by sophisticated attackers.
Index Terms:
Internet security, Distributed Denial of Service, Packet marking, Hash, Hop count
Citation:
Guang Jin, Fei Zhang, Yuan Li, Honghao Zhang, Jiangbo Qian, "A Hash-Based Path Identification Scheme for DDoS Attacks Defense," cit, vol. 2, pp.219-224, 2009 Ninth IEEE International Conference on Computer and Information Technology, 2009
Usage of this product signifies your acceptance of the Terms of Use.