PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks
Issue No.02 - April-June (2006 vol.3)
Wing Cheong Lau , IEEE
Mooi Choo Chuah , IEEE
H. Jonathan Chao , IEEE
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2006.25
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. This paper introduces a DDoS defense scheme that supports automated online attack characterizations and accurate attack packet discarding based on statistical processing. The key idea is to prioritize a packet based on a score which estimates its legitimacy given the attribute values it carries. Once the score of a packet is computed, this scheme performs score-based selective packet discarding where the dropping threshold is dynamically adjusted based on the score distribution of recent incoming packets and the current level of system overload. This paper describes the design and evaluation of automated attack characterizations, selective packet discarding, and an overload control process. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation through scorebook generation and pipeline processing. A simulation study indicates that PacketScore is very effective in blocking several different attack types under many different conditions.
Network level security and protection, performance evaluation, traffic analysis, network monitoring, security, simulation.
Wing Cheong Lau, Mooi Choo Chuah, H. Jonathan Chao, "PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks", IEEE Transactions on Dependable and Secure Computing, vol.3, no. 2, pp. 141-155, April-June 2006, doi:10.1109/TDSC.2006.25