This Article 
 Bibliographic References 
 Add to: 
IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks
September 2003 (vol. 14 no. 9)
pp. 861-872

Abstract—Distributed Denial of Service (DDoS) is one of the most difficult security problems to address. While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. In this paper, we present a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The proposed scheme leverages on and generalizes the IP traceback schemes to obtain the information concerning whether a network edge is on the attacking path of an attacker ("infected") or not ("clean"). We observe that, while an attacker will have all the edges on its path marked as "infected," edges on the path of a legitimate client will mostly be "clean." By preferentially filtering out packets that are inscribed with the marks of "infected" edges, the proposed scheme removes most of the DDoS traffic while affecting legitimate traffic only slightly. Simulation results based on real-world network topologies all demonstrate that the proposed technique can improve the throughput of legitimate traffic by three to seven times during DDoS attacks.

[1] L. Garber, Denial-of-Service Attacks Rip the Internet Computer, vol. 33, no. 4, pp. 12-17, Apr. 2000.
[2] H. Burch and B. Cheswick, Tracing Anonymous Packets to Their Approximate Source Proc. Usenix LISA Conf., Dec. 2000.
[3] D. Dean, M. Franklin, and A. Stubblefield, An Algebraic Approach to IP Traceback Proc. Network and Distributed System Security Symp., pp. 3-12, Feb. 2001.
[4] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical Network Support for IP Traceback Proc. ACM SIGCOMM, pp. 295-306, Aug. 2000.
[5] D. Song and A. Perrig, Advanced and Authenticated Marking Schemes for IP Traceback Proc. Infocom, Apr. 2001.
[6] T. Doeppner, P. Klein, and A. Koyfman, Using Router Stamping to Identify the Source of IP Packets Proc. ACM Conf. Computer and Comm. Security, pp. 184-189, Nov. 2000.
[7] A. Snoeren et al., Hash-Based IP Traceback Proc. ACM Sigcomm, Aug. 2001.
[8] S. Bellovin, Internet Draft: ICMP Traceback Messages technical report, Network Working Group, Mar. 2000.
[9] R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, Controlling High Bandwidth Aggregates in the Network technical report, ACIRI and AT&T Labs Research, Feb. 2001.
[10] B. Cheswick, Internet Mapping available at index.html, 1999.
[11] B. Bloom, Space/Time Trade-Offs in Hash Coding with Allowable Errors Comm, ACM, vol. 13, no. 7, pp. 422-426, 1970.
[12] Caida's Skitter Project Web Page,, 2003.
[13] Akamai Technologies Inc.,http:/, 2003.
[14] J. Xu and W. Lee, Sustaining Availability of Web Services under Severe Denial of Service Attacks IEEE Trans. Computers, vol. 52, no. 2, Feb. 2003.
[15] P. Karn and W. Simpson, Photuris: Session-Key Management Protocol IETF RFC 2522, Mar. 1999.
[16] J. Howard, An Analysis of Security Incidents on the Internet PhD thesis, Carnegie Mellon Univ., Aug. 1998.
[17] CERT, TCP SYN Flooding and IP Spoofing Attacks Advisory CA-96.21, Sept. 1996.
[18] A. Juels and J. Brainard, Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks Proc. Network and Distributed System Security Symp., Mar. 1999.
[19] C. Schuba et al., Analysis of a Denial of Service Attack on TCP Proc. IEEE Symp. Security and Privacy, 1997.
[20] Checkpoint Inc., TCP SYN Flooding Attack and the Firewall-1 Syndefender syndefender.html, 1997.
[21] F. Kargl, J. Maier, S. Schlott, and M. Weber, Protecting Web Servers from Distributed Denial of Service Attacks Proc. World Wide Web Conf., May 2001.
[22] D.K.Y. Yau, J.C.S. Lui, and F. Liang, Defending against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles Proc. IEEE Int'l Workshop Quality of Service, May 2002.
[23] A. Yaar, A. Perrig, and D. Song, PI: A Path Identification Mechanism to Defend against DDoS Attacks Proc. IEEE Symp. Security and Privacy, May 2003.
[24] P. Ferguson, Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing RFC 2267, Jan. 1998.
[25] K. Park and H. Lee, On the Effectiveness of Route-Based Packet Filtering for Distributed DOS Attack Prevention in Power-Law Internets Proc. ACM Sigcomm, Aug. 2001.

Index Terms:
Distributed Denial of Service (DDoS), IP traceback, performance modeling and simulation.
Minho Sung, Jun Xu, "IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks," IEEE Transactions on Parallel and Distributed Systems, vol. 14, no. 9, pp. 861-872, Sept. 2003, doi:10.1109/TPDS.2003.1233709
Usage of this product signifies your acceptance of the Terms of Use.