This Article 
 Bibliographic References 
 Add to: 
PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks
April-June 2006 (vol. 3 no. 2)
pp. 141-155
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. This paper introduces a DDoS defense scheme that supports automated online attack characterizations and accurate attack packet discarding based on statistical processing. The key idea is to prioritize a packet based on a score which estimates its legitimacy given the attribute values it carries. Once the score of a packet is computed, this scheme performs score-based selective packet discarding where the dropping threshold is dynamically adjusted based on the score distribution of recent incoming packets and the current level of system overload. This paper describes the design and evaluation of automated attack characterizations, selective packet discarding, and an overload control process. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation through scorebook generation and pipeline processing. A simulation study indicates that PacketScore is very effective in blocking several different attack types under many different conditions.

[1] Akamai Technologies, Inc., http:/, 2006.
[2] B. Babcock et al., “Models and Issues in DataStream Systems,” ACM Symp. Principles of Database Systems, June 2002.
[3] M.C. Chuah, W. Lau, Y. Kim, and H.J. Chao, “Transient Performance of PacketScore for Blocking DDoS Attack,” Proc. IEEE Int'l Conf. Comm., 2004.
[4] Cisco IOS Security Configuration Guide, Release 12.2, “Configuring Unicast Reverse Path Forwarding,” pp. SC-431-SC-446, product/software/ios122/122cgcr/fsecur_c/ fothersfscfrpf.pdf, 2006.
[5] C. Estan, S. Savage, and G. Varghese, “Automatically Inferring Patterns of Resource Consumption in Network Traffic,” Proc. 2003 ACM SIGCOMM, pp 137-148, 2003.
[6] CSI/FBI Survey, survey.jhtml , 2006.
[7] FBI Fugitive, echouafni_s.htm, 2006.
[8] P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing,” RFC 2827, 2000.
[9] L. Garber, “Denial-of-Service Attacks Rip the Internet,” Computer, pp. 12-17, Apr. 2000.
[10] J. Ioannidis and S.M. Bellovin, “Implementing Pushback: Router-Based Defense against DDoS Attacks,” Proc. Network and Distributed System Security Symp., Feb. 2002.
[11] C. Jin, H. Wang, and K.G. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed Traffic,” Proc. ACM Conf. Computer and Comm. Security (CCS '03), Oct. 2003.
[12] J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites,” Proc. Int'l World Wide Web Conf., May 2002.
[13] S. Kasera et al., “Fast and Robust Signaling Overload Control,” Proc. Int'l Conf. Network Protocols, Nov. 2001.
[14] A.D. Keromytis, V. Misra, and D. Rubenstein, “SOS: An Architecture for Mitigating DDoS Attacks,” IEEE J. Selected Areas in Comm., vol. 22, no. 1, pp. 176-188, Jan. 2004.
[15] A. Kuzmanovic and E.W. Knightly, “Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants),” Proc. ACM SIGCOMM 2003, Aug. 2003.
[16] H. Kim and I. Kang, “On the Effectiveness of Martian Address Filtering and Its Extensions,” Proc. IEEE GLOBECOM, Dec. 2003.
[17] Y. Kim, J.Y. Jo, H.J. Chao, and F. Merat, “High-Speed Router Filter for Blocking TCP Flooding under Distributed Denial-of-Service Attack,” Proc. IEEE Int'l Performance, Computing, and Comm. Conf., Apr. 2003.
[18] Y. Kim, J.Y. Jo, and F. Merat, “Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking,” Proc. IEEE GLOBECOM, Dec. 2003.
[19] Y. Kim, W.C. Lau, M.C. Chuah, and H.J. Chao, “PacketScore: Statistics-Based Overload Control against Distributed Denial-of-Service Attacks,” Proc. IEEE INFOCOM, Mar. 2004.
[20] Q. Li, E.C. Chang, and M.C. Chan, “On the Effectiveness of DDoS Attacks on Statistical Filtering,” Proc. 2005 IEEE INFOCOM, 2005.
[21] D. Liu and F. Huebner, “Application Profiling of IP Traffic,” Proc. 27th Ann. IEEE Conf. Local Computer Networks (LCN), 2002.
[22] M. Mahoney and P.K. Chan, “Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks,” Proc. ACM 2002 SIGKDD, pp. 376-385, 2002.
[23] D. Marchette, “A Statistical Method for Profiling Network Traffic,” Proc. First USENIX Workshop Intrusion Detection and Network Monitoring, Apr. 1999.
[24] J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the Source,” Proc. 10th IEEE Int'l Conf. Network Protocols, Nov. 2002.
[25] D. Moore, G.M. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity,” Proc. 10th USENIX Security Symp., Aug. 2001.
[26] NLANR PMA Packet Trace Data, http://pma.nlanr.netTraces, 2006.
[27] K. Park and H. Lee, “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack,” Proc. IEEE INFOCOM, pp. 338-347, 2001.
[28] K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets,” Proc. ACM SIGCOMM, pp. 15-26, 2001.
[29] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Network Support for IP Traceback,” IEEE/ACM Trans. Networking, vol. 9, no. 3, June 2001.
[30] H. Wang, D. Zhang, and K.G. Shin, “Change-Point Monitoring for the Detection of DoS Attacks,” IEEE Trans. Dependable and Secure Computing, vol. 1, no. 4, Oct.-Dec. 2004.
[31] Y. Xu and R. Guérin, “On the Robustness of Router-Based Denial-of-Service (DoS) Defense Systems,” ACM SIGCOMM Computer Comm. Rev., vol. 35, no. 3, July 2005.
[32] A. Yaar and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp. Security and Privacy, 2003.
[33] A. Yaar and D. Song, “SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks,” Proc. 2004 IEEE Symp. Security and Privacy, 2004.

Index Terms:
Network level security and protection, performance evaluation, traffic analysis, network monitoring, security, simulation.
Yoohwan Kim, Wing Cheong Lau, Mooi Choo Chuah, H. Jonathan Chao, "PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 2, pp. 141-155, April-June 2006, doi:10.1109/TDSC.2006.25
Usage of this product signifies your acceptance of the Terms of Use.