Establishing an Effective Combat Strategy for Prevalent Cyber- Attacks

Report as inappropriate Your report has been received

Shared by: ijcsiseditor

Tags

attacks, classification, cyber, detection, distributed denial of service (DDoS), intrusion, mitigation, traceback

Stats

views:: 120
posted:: 6/5/2011
language:: English
pages:: 7

Public Domain

Document Sample

(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 5, 2011

Establishing an Effective Combat Strategy for
Prevalent Cyber-Attacks

Vivian Ogochukwu Nwaocha Inyiama H.C.
University of Nigeria, Nsukka University of Nigeria, Nsukka
Computer Science Department Computer Science Department
ogochukwuvee@gmail.com drhcinyiama@gmail.com

Abstract—As organisations continue to incorporate the Internet Service (DDoS) is one of the major threats for the Internet
as a key component of their operations, the global cyber-threat because of its ability to create a huge volume of unwanted
level is increasing. One of the most common types of cyber- traffic [1]. The primary goal of these attacks is to prevent
threats is known as the Distributed Denial of Service (DDoS) access to a particular resource such as a Web site [2].
attack – an attack preventing users from accessing a system for a
period of time. Recent DDoS attacks have left large corporate
The first reported large-scale DDoS attack occurred in August,
and government networks inaccessible to customers, partners
and users for hours or days, resulting in significant financial, 1999, against the University of Minnesota [3]. This attack shut
reputational, and other losses. The attack power of a Distributed down the victim's network for more than two days. In the year
DoS (DDoS) attack is based on the massive number of attack 2000, a DDoS attack stopped several major commercial Web
sources instead of the vulnerabilities of one particular protocol. sites, including Yahoo and CNN, from performing their
DDoS attacks, which aim at overwhelming a target server with an normal activities [3]. In [4], D. Moore et al. used backscatter
immense volume of useless traffic from distributed and analysis on three week-long datasets to assess the number,
coordinated attack sources, are a major threat to the stability of duration and focus of DDoS attacks, and to characterize their
the Internet. The number and assortment of both the attacks as behaviour. They found that more than 12,000 attacks had
well as the defense mechanisms is outrageous. Though an array
occurred against more than 5,000 distinct victims in February,
of schemes has been proposed for the detection of the presence of
these attacks, classification of the TCP flows as a normal flow or 2001. In October, 2002, the Domain Name Systems (DNS) in
a malicious one, identifying the sources of the attacks and the Cooperative Association for Internet Data Analysis
mitigating the effects of the attacks once they have been detected, (CAIDA) network became the victim of a heavy DDoS attack.
there is still a dearth of complete frameworks that encompass Many legitimate users could not access web sites because their
multiple stages of the process of defense against DDoS attacks. DNS requests were not able to reach root DNS servers. The
The growing use of cloud computing services and shared congestion caused by the DDoS attack forced routers to drop
infrastructure is further increasing the importance of having a these requests [5]. A more serious DNS-based DDoS attack
considered plan for managing such attacks. For a proactive was reported in March, 2006 [6]. Instead of attacking DNS
mitigation against DDoS attacks, we propose an integrated
servers directly, this new type of DDoS attack just used DNS
framework which would handle the classification, mitigation and
traceback of these attacks. Thus, developing an effective servers as reflectors to create a stronger attack. This kind of
mitigation strategy is an important measure to minimize the risk DDoS is harder to be stopped than normal DDoS attacks due
posed to an organisation by the threat of DDoS attacks. to complicated DNS protocols and interaction among multiple
DNS servers. During two months, 1,500 individual Internet
Keywords-attacks; classification; cyber, detection; distributed protocol addresses were attacked using this approach.
denial of service (DDoS); intrusion; mitigation, traceback;
As organisations continue to incorporate the Internet as a key
I. INTRODUCTION component of their operations, the global cyber-threat level is
increasing. One of the most common types of cyber-threats is
The growing population using public network has brought
known as the Distributed Denial of Service (DDoS) attack –
about an increase in the incidence of network intrusion. Hence
an attack preventing users from accessing a system for a
the need for an equivalent increase in business owner’s duty to
period of time. Recent DDoS attacks have left large corporate
guarantee due diligence and fiduciary responsibility with
and government networks inaccessible to customers, partners
respect to protecting users against all causes of loss or
and users for hours or days, resulting in significant financial,
damage. The potential costs of failing to do so can in fact be
reputational, and other losses. The attack power of a
quite enormous. Amongst the security threats, the most severe
Distributed DoS (DDoS) attack is based on the massive
to the steady functioning of any network are Distributed
number of attack sources instead of the vulnerabilities of one
Denial-of-Service (DDoS) attacks. Distributed Denial of

142 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 5, 2011
particular protocol. DDoS attacks, which aim at overwhelming DDoS attack. A flooding-based DDoS attack attempts to
a target server with an immense volume of useless traffic from congest the victim's network bandwidth with real-looking but
distributed and coordinated attack sources, are a major threat unwanted IP data. As a result, legitimate IP packets cannot
to the stability of the Internet. The number and assortment of reach the victim due to a lack of bandwidth resource. To
both the attacks as well as the defense mechanisms is amplify the effects and hide real attackers, DDoS attacks can
outrageous. Though an array of schemes has been proposed be run in two different distributed coordinated fashions. In the
for the detection of the presence of these attacks, classification first one, the attacker compromises a number of agents and
of the TCP flows as a normal flow or a malicious one, manipulates the agents to send attack traffic to the victim. The
identifying the sources of the attacks and mitigating the effects second method makes it even harder to determine the attack
of the attacks once they have been detected, there is still a sources because it uses reflectors. A reflector is any host that
dearth of complete frameworks that encompass multiple stages will return a packet if it receives a request packet [11]. For
of the process of defense against DDoS attacks. The growing example, a Web server can be a reflector because it will return
use of cloud computing services and shared infrastructure is a HTTP response packet after receiving a HTTP request
further increasing the importance of having a considered plan packet. The attacker sends request packets to servers and fakes
for managing such attacks. For a proactive mitigation against victim's address as the source address. Therefore, the servers
DDoS attacks, we propose an integrated framework which will send back the response packets to the real victim. If the
would handle the classification, mitigation and traceback of number of reflectors is large enough, the victim network will
these attacks. Thus, developing an effective mitigation suffer exceptional traffic congestion. Before we introduce the
strategy is an important measure to minimize the risk posed to DDoS attack architectures and mechanisms, we give two basic
an organisation by the threat of DDoS attacks. definitions. First, the DDoS attack traffic is the traffic which is
produced or triggered by the compromised agents. Second, the
legitimate traffic is the traffic which is produced by the normal
II. DISTRIBUTED DENIAL OF SERVICE ATTACKS hosts. In order to analyze DDoS attacks, two basic distributed
A Denial of Service (DoS) attack is commonly architectures of flooding -based DDoS attacks and common IP
characterized as an event in which a legitimate user or spoofing techniques were employed. Furthermore, we specify
organisation is deprived of certain services such as e-mail or the basic mechanism of spoofing-based DDoS attacks and list
network connectivity, that they would normally expect to three typical flooding-based DDoS attacks.
have. DoS attacks [7, 8] inject maliciously-designed packets
into the network to deplete some or all of these resources. The A. Distributed Cooperative Architecture of DDoS
attack power of a Distributed DoS (DDoS) attack [9] is based
on the massive number of attack sources instead of the Before real attack traffic reaches the victim, the attacker must
vulnerabilities of one particular protocol. DDoS attacks, which cooperate with all its DDoS agents. Consequently, there must
aim at overwhelming a target server with an immense volume be control channels between the agents and the attacker. This
of useless traffic from distributed and coordinated attack collaboration requires that all agents send traffic based on
sources, are a major threat to the stability of the Internet. The commands received from the attacker. The network which
number and assortment of both the attacks as well as the consists of the attacker, agents, and control channels is called
defense mechanisms is outrageous. Though an array of the attack networks. In [12], attack networks are divided into
schemes has been proposed for the detection of the presence of three types: the agent-handle model, the Internet Relay Chat
these attacks, characterizing of the flows as a normal flow or a (IRC)-based model, and the reflector model.
malicious one, identifying the sources of the attacks and
mitigating the effects of the attacks once they have been
detected, there is still a dearth of complete frameworks that
encompass multiple stages of the process of defense against
DoS attacks.
For a proactive mitigation against flooding- based DDoS
attacks, we propose an integrated framework which would
handle the classification. As one of the major security
problems in the Internet, a denial-of-service (DoS) attack
always attempts to stop the victim from serving legitimate
users. A distributed denial-of-service (DDoS) attack is a DoS
attack which relies on multiple compromised hosts in the
network to attack the victim. There are two types of DDoS
attacks. The first type of DDoS attack has the aim of attacking
the victim to force it out of service for legitimate users by
exploiting software and protocol vulnerabilities of the system
[10]. The second type of DDoS attack is based on a huge
volume of attack traffic, which is known as a flooding-based

143 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 5, 2011
Figure 1 Classic Architecture of a DDoS Attack A. IP Spoofing
The agent-handler model consists of three components: The template is used to format your paper and style the text. IP
attacker, handlers, and agents. Figure 1 illustrates the typical spoofing is used in all DDoS attacks as a basic mechanism to
architecture of the model. One attacker sends control messages hide the real address of agents or the attacker. In a classical
to the previously compromised agents through a number of DDoS attack, the agents randomly spoof the source addresses
handlers, instructing them to produce unwanted traffic and in the IP header. In a reflector-based DDoS attack, agents must
send it to the victim. The architecture of IRC-based model is put the victim's address in the source address field. The
not that much different than that of the agent-handler model spoofed addresses can be addresses of either existing or non-
except that instead of communication between an attacker and existing hosts. To avoid ingress filtering, the attacker can use
agents based on handlers, an IRC communication channel is addresses that are valid in the internal network because non-
used to connect the attacker to agents [12]. Fig. 2. illustrates existing addresses have a high possibility of being filtered out.
the architecture of an attack network in the reflector model. In the real-world, it is possible to launch an attack without IP
The reflector layer makes a major difference from the typical spoofing if the attacker can compromise enough hosts. For this
DDoS attack architecture. In the request messages, the agents situation, the attacker would consider how to avoid to be
modify the source address field in the IP header using the traced out. Usually, the attacker will use a chain of
victim's address to replace the real agents' addresses. Then, the compromised hosts. Tracing a chain which extends across
reflectors will in turn generate response messages to the multiple countries is very hard to be achieved. Furthermore, to
victim. As a result, the flooding traffic which reaches the compromise poorly monitored hosts in a network will make
victim is not from a few hundred agents, but from a million tracing more difficult due to a lack of information. In these
reflectors [11]. An exceedingly diffused reflector-based DDoS situations, IP spoofing is not a necessary step for hiding the
attack raises the bar for tracing out the real attacker by hiding attacker.
the attacker behind a large number of reflectors. Unlike some
types of DDoS attacks, ―the reflector does not need to serve as C. Flooding DDoS Attack Mechanisms
an amplifier "[11]. This means that reflectors still can serve Flooding-based DDoS attacks involve agents or reflectors
other legitimate requests properly even when they are sending a large volume of unwanted traffic to the victim. The
generating attack traffic. The attacker does not need to victim will be out of service for legitimate traffic because its
compromise reflectors to control their behaviours in the way connection resources are used up. Common connection
that agents need to be compromised. Therefore, any host resources include bandwidth and connection control in the
which will return a response if it receives a request can be a victim system. Generally, flooding –based DDoS attacks
reflector. These features facilitate the attacker's task of consist of two types: direct and reflector attacks [65]. Figure 3
launching an attack because it just needs to compromise a is another view of the process of a direct flooding-based DDoS
small number of agents and find a sufficient number of attack. The architecture of the direct attack is same as the
reflectors. typical DDoS attack reflected in Fig. 1

Figure 2. Architecture of a DDos attack using reflectors Figure 3. A Direct-Flooding Based DDoS Attack

The agents send the Transmission Control Protocol/Internet
Protocol (TCP), the Internet Control Message Protocol
Identify applicable sponsor/s here. (sponsors)

144 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 5, 2011
(ICMP), the User Datagram Protocol (UDP), and other packets path fingerprints was exploited by Yaar et.al. in [41], and
to the victim directly. The response packets from the victim subsequently improved in [42]. Various other techniques
will reach the spoofed receivers due to IP spoofing. In a involving path filtering [43] [44], statistical filtering [45] [46],
reflector attack, presented in Fig. 2.4, the response packets and rate limiting [47] [48] have also been explored in
from reflectors truly attack the victim. No response packets literature. IP Marking [49] is traditionally used for IP
need be sent back to reflector from the victim. The key factors Traceback.
to accomplishing a reflector attack include: setting the victim
address in the source field of the IP header and finding enough The basic idea of the IP marking approach is that routers
reflectors. Basically, an attacker can utilize any protocol as the probabilistically write some encoding of partial path
network layer platform for a flooding-based attack [10]. Direct information into the packets during forwarding, so that based
attacks usually choose three mechanisms: TCP SYN flooding, on this information the destination server can reconstruct the
ICMP echo flooding, and UDP data flooding [14]. The TCP path that was taken by the packets. In [50], Song and Perrig
SYN flooding mechanism is different from the other two have suggested Advanced and Authenticated Marking
mechanisms. It causes the victim to run out of all available Schemes that encode the edge information in 16 bits of the
TCP connection control resources by sending a large number packet to be marked. For this purpose, the 16-bit IP
of TCP SYN packets. Identification field used for fragmentation in the IP header is
overloaded, i.e. this field carries the encoding information
In a typical DDoS attack network, an attacker sends instead of the regular packet fragmentation information. The
commands to compromised agents and requests that they send obvious drawback in the methods discussed for IP Traceback
a large volume of traffic to overwhelm the bottleneck link in is that they do not work for packets that are fragmented as the
the victim network. To hide the attacker itself more deeply, a IP Identification field is overloaded for edge information.
DDoS attack can construct an attack network with a reflector- Several methods have been proposed to characterize
based architecture. In the network, an attacker sends a packet attack flows. In [51], a simple statistics-based mechanism to
whose source address has been set as the victim's address to detect TCP SYN flood attacks was proposed. The idea is to
reflectors. detect deviation from an expected balanced SYN/FIN packet
ratio using a nonparametric, cumulative sum method.
III. RELATED WORK However, such a simple technique is not foolproof as the
Now we would review the existing combat strategies in this attackers can mix their SYN and FIN packets. Subsequently,
field, in order to compare our work with some associated in [52] a spectral analysis method to distinguish attack flows
work. Research in this area can be divided based on the from the normal ones by determining the periodicity in the
following three issues: Classification, Mitigation and packet process was proposed. But the method does so by using
Traceback DDoS detection, DDoS response, and DDoS the Welch’s modified periodogram, which has several
defense framework. The earliest work on DDoS defense led to disadvantages as compared to the EPSD technique used in this
the concept of network traceback [15] by Burch and paper.
Cheswick. Bellovin et.al. proposed ICMP-based out-of-band Bohacek [53], suggested a mitigating approach that
messaging in iTrace [16], while Snoeren et.al. proposed SPIE relies on routers filtering enough packets so that the server is
[17] employing packet logging, which was subsequently not overwhelmed while ensuring that as little filtering as
improved by Li et.al. in [18]. Belenky and Ansari proposed a possible is performed. He has proposed a solution wherein
deterministic packet marking scheme in [19], while Savage packets should be filtered at routers through which the attack
et.al. proposed a probabilistic packet marking (PPM) packets are passing. But, it is a reactive mitigation technique
technique in [20], with subsequent enhancements made by that also has the drawback that legitimate traffic packets may
others in [21] [22] [23] [24]. IP address fragmentation for also be dropped enroute to the destination. In [54], Kalantari et
efficient packet marking and their vulnerability to attacker al. have proposed a proactive method for mitigation of the
induced noise have been studied in [25] and [26] respectively. effects of DDoS attacks wherein each router maintains a
partition of active TCP flows into aggregates. Each aggregate
Recently, various encoding techniques have been used to is probed to estimate the proportion of attack traffic that it
progressively improve the performance of PPM schemes, as in contains. Packets belonging to aggregates that contain
Tabu marking [27], Local Topology marking [28], Space- significant amounts of attack traffic may be subject to
Time encoding [29], Color Coding [30], and the use of aggressive drop policies to prevent attack at the intended
Huffman Codes [31], Algebraic Geometric Codes [32] etc. victim. Again, in this case too, legitimate packets face the risk
Additionally various architectures for traceback have been of being dropped. For the purpose of our work, we define
explored, such as inter-domain traceback [33] and hybrid aggregates as a vital element of the approach. Additionally,
traceback [34] [35], in addition to some other radical aggregates are defined in advance of the attack so that their
approaches like in [36]. Research on mitigating DDoS attacks response measurements are taken to normal (non-attack)
has proceeded in parallel, focusing on network ingress traffic in order to be compared later on with measurements
filtering [37], routing table enhancements as in SAVE [38], under an attack, if any.
CenterTrack [39] and intelligent filtering [40]. The concept of

145 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 5, 2011
On the whole, studies have indicated that part of the mitigation
techniques in practice today, suffer from the following
drawbacks:
1. They are reactive in nature.
2. They deploy packet dropping policies at the routers wherein
even legitimate packets face the risk of being dropped. L-Diatance
3. The topology of the network needs to be known in advance.
The mitigation technique employed in the framework
proposed in this paper seeks to do away with all these
drawbacks as we shall see in next section. V- Server

C-Bottleneck Link
IV. PROPOSED SOLUTION R-Set
In this section, we shall outline the various facets of our
Clients
proposed framework for defense against DDoS attacks. The
proposed framework provides for proactive mitigation against
the effect of DDoS attacks as described next. Whenever a Figure 4 Proposed Framework
packet arrives at a router to be forwarded to the server to be
protected from a DDoS attack, instead of sending that packet The clients (attack and legitimate) send their requests to the
on the outbound link, a copy of its header [55] is sent toward server V (indicated by thick arrows). The routers (set R) en
the server for characterization. This provides a proactive route from the clients to the server will proactively generate
approach to mitigation against the attack as the bandwidth of copies of these packets and save the original packets with
the links involved will not be exhausted by the voluminous them. These routers will also stamp their identity in the
attack traffic as only the headers (that are small in size) will Identification field of the copy of the IP header thus generated
traverse on the links to the server. and send them to V (indicated by thin arrows). The other
The technique to be used in this framework for mitigation routers through which these header copies will traverse before
provides the dual functionality of IP Traceback as well. The reaching V will also append their edge information in the same
16-bit IP Identification field in the header of the original Identification field. Once these header copies reach the
packet which was being used traditionally for traceback need bottleneck link C, they will undergo the EPSD test for
not be used now. In the proposed technique, the IP periodicity and thus the flows will be characterized as attack
Identification field of the original packet will not be used for or legitimate. If a flow is characterized as a legitimate flow,
traceback purposes. Instead, the IP Identification field in the only then will the routers belonging to set R be instructed to
copy of the header generated will be used to store the edge forward the stored packets to the server. If a flow is
information. The copies of headers generated represent the characterized as an attack flow, then the encoding information
actual dynamics of the traffic flow to which they belong. in the generated copies of the headers will be used to construct
These headers will be subject to the characterization test the attack graph for IP Traceback [57] and the routers (set R)
described next. will be asked to drop the corresponding original attack
packets. A flowchart depicting the solution is illustrated
For classification, instead of the Welch’s periodogram below.
method used in [52], the Exactly Periodic Subspace
Decomposition (EPSD) [56] technique will be used as part of
this framework. The EPSD technique does away with the
disadvantages of the Welch’s method by difference in the
selection of time domain input elements that constitute the
frequency domain output elements. To get a better
understanding of the proposed model, consider a sample
topology shown in Figure 5. The topology considered is
similar to the one used traditionally to depict a typical client-
server scenario in the Internet for simulation purposes [6].

146 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 5, 2011

REFERENCES

[1] K. Xu, Z.-L. Zhang, and S. Bhattacharyya, \Reducing unwanted traffic
in a backbone network," in Steps to Reducing Unwanted Traffic on the
Internet Workshop(SRUTI), 2005, pp. 9-15.
[2] CERT Coordination Center, \Denial of service attacks."Available at
http://www.cert.org/tech tips/denial of service.html, March 2007.
[3] L. Garber, \Denial-of-service attacks rip the Internet." IEEE Computer,
vol. 33, no. 4, April 2000, pp.12-17.
[4] D. Moore, G. M. Voelker, and S. Savage, \Inferring Internet denial-of-
service activity." in Proceedings of the 10th USENIX Security
Symposium, August 2001.
[5] CAIDA, \Nameserver DoS attack October 2002." Available at
http://www.caida.org/funding/dns-analysis/oct02dos.xml, March 2007.
[6] ZDNet, \New denial-of-service threat emerges." Available at
http://news.zdnet.com/2100-1009 22-6050688.html, March 2007.
[7] CERT. Denial of Service Attacks. http://www.cert.org/tech tips/denial
of service.html, 1997.
[8] K.J. Houle, G. M. Weaver, N. Long, and R. Thomas. ―Trends in denial
of service attack technology‖. Technical Report Version 1.0, CERT
Coordination Center, Carnegie Melon University (2001)
http://www.cert.org/archive/pdf/DoS trends.pdf.
[9] F. Lau, S. H. Rubin, M. H. Smith, and L. Trajkovi.―Distributed denial
of service Attacks,‖ In Proceedings of IEEE International Conference
on Systems and Cybernetics, vol. 3, pp. 2275-2280, 2000.
[10] J. MÄolsÄa, \Mitigating denial of service attacks in computer
networks". PhD thesis, Helsinki University of Technology, Espoo,
Finland, June 2006.
[11] V. Paxson, \An analysis of using re°ectors for distributed denial-of-
service attacks." ACM SIGCOMM Computer Communication Review,
vol. 31, no. 3, July 2001.
Figure 5. Flowchart of the Proposed Framework
[12] S. M. Specht and R. B. Lee, \Distributed denial of service: taxonomies
of attacks, tools and countermeasures." in Proceedings of the 17th
International Conference on Parallel and Distributed Computing
Systems, September 2004, pp. 543-550.
V. CONCLUSION AND FUTURE WORK [13] R. K. Chang, \Defending against °ooding-based distributed denial-of-
service attacks: A tutorial." IEEE Commun. Mag., vol. 40, no. 10,
As malicious entities unleash an increasing number of October 2002, pp.42-51.
DDoS attacks on the Internet, it has become imperative to not [14] Cisco Systems, Inc., \Characterizing and tracing packet floods using
only track them to hold them liable (traceback), but also to cisco routers." May 2005. Attacks‖, in IEEE TPDS, 2003.
limit their capabilities and render them ineffective [15] H. Burch, B. Cheswick, ―Tracing Anonymous Packets to their
(mitigation). In this paper, we propose a novel framework that approximate source‖, in Proc. USENIX LISA, Dec. 2000.
provides both traceback and mitigation capabilities. On the [16] S. M. Bellovin, ―ICMP traceback messages,‖ Internet Draft, Mar. 2000.
whole, studies have indicated that part of the mitigation [17] A. C. Snoeren et. al., ―Hash-Based IP Traceback,‖ in SIGCOMM, 2001.
techniques in practice today, suffer from the following [18] Li et. al., ―Large-Scale IP Traceback in High-Speed Internet: Practical
drawbacks: they are reactive in nature; they deploy packet Techniques & Theoretical Foundation‖, in IEEE Symp. on Security &
Privacy 2004.
dropping policies at the routers wherein even legitimate
[19] A. Belenky, N. Ansari, ―IP Traceback with Deterministic Packet
packets face the risk of being dropped; the topology of the Marking‖, in IEEE Communication Letters, Apr 2003.
network needs to be known in advance. The mitigation [20] Savage et. al., ―Practical Network Support for Traceback,‖ in
technique employed in the framework proposed in this study SIGCOMM, 2000.
seeks to do away with all these drawbacks.. We hope to [21] D. Song, A. Perrig, ―Advanced and Authenticated Marking Schemes for
evaluate the proposed framework and techniques on an NS2 IP traceback‖, in Proc. IEEE INFOCOM, 2001.
network simulation platform in our subsequent works. [22] M. Adler, ―Tradeoffs in Probabilistic packet marking for IP traceback‖,
in Proc. STOC, pp.407-418, 2002.
[23] T. Peng, C. Leckie, K. Ramamohanarao, ―Adjusted Probabilistic Packet
Marking for IP Trace-back‖, in Proc. Networking, 2002.
[24] A. Yaar, A. Perrig, D. Song, ―FIT: Fast Internet Traceback‖, in
INFOCOM 2005.
[25] I. Hamadeh, G. Kesidis, ―Performance of IP Address Fragmentation
Strategies for DDoS trace-back‖, in Proc. IEEE IPOM, 2003.

147 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 5, 2011
[26] M. Waldvogel, ―GOSSIB vs Traceback Rumors‖, in ACSAC, 2002. [48] D. Yau, J. Lui, F. Liang, ―Defending against DDoS attacks with max-
[27] M. Ma, ―Tabu Marking Scheme for Traceback‖, in IPDPS, 2005. min fair server-centric router throttles‖, in Proc. IWQoS, 2002.
[28] B. Al-Duwairi, T. Daniels, ―Topology Based Packet Marking,‖ in [49] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson,
ICCCN 2004. ―Practical network support for ip traceback,‖ in Proceedings of the 2000
ACM SIGCOMM Conference, Aug.2000.
[29] M. Muthuprasanna, G. Manimaran, ―Space-Time Encoding for DDoS
Attack Traceback‖, in Proc. IEEE GLOBECOM, 2005. [50] Dawn Xiaodong Song and Perrig A., ―Advanced and authenticated
marking schemes for IP traceback,‖ Proceedings. IEEE INFOCOM
[30] M. Muthuprasanna, G. Manimaran, Mansoor Alicherry, Vijay Kumar, 2001. Twentieth Annual Joint Conference of the IEEE Computer and
―Coloring the Internet: IP Traceback‖, in Proc. ICPADS, 2006. Communications Societies, Vol. 2, pp: 878 – 886, Apr. 2001.
[31] K. Choi, H. Dai, ―A Marking Scheme using Huffman Codes for IP [51] H. Wang, D. Zhang, and K. G. Shin. ―Detecting SYN flooding attacks,‖
Traceback‖, in Proc. ISPAN, 2004. In Proceedings of IEEE INFOCOM 2002,pp. 1530 – 1539, June 2002.
[32] C. Bai et.al., ―Algebraic Geometric Code Based IP Traceback‖, in
[52] Chen-Mou Cheng, H. T. Kung, and Koan-Sin Tan, ―Use of Spectral
IPCCC 2004.
Analysis in Defense Against DoS Attacks,‖ In theProceedings of Global
[33] Y. Sawai, M. Oe, K. Iida, Y. Kadobayashi, ―Performance Evaluation of Telecommunications Conference,2002, GLOBECOM '02. IEEE, Vol. 3,
Inter-Domain IP Traceback‖, in Proc. IEEE ICT, 2003. pp: 2143 –2148, Nov. 2002.
[34] B. Al-Duwairi, G. Manimaran, ―Novel Hybrid Schemes employing [53] B. Stephan, ―Optimal filtering for denial of service mitigation,‖
Packet Marking & Logging for Traceback‖, in IEEE TPDS, Proceedings of the 41st IEEE Conference on Decision and Control,
2005. 2002, Vol. 2, pp: 1428 – 1433, Dec. 2002.
[35] Gong et.al., ―IP Traceback based on Packet Marking & Logging‖, in [54] M. Kalantari, K. Gallicchio and M. A. Shayman, ―Using transient
ICC 2005. behavior of TCP in mitigation of distributed denial of service attacks,‖
[36] M. Walfish, M. Vutukuru, Hari Balakrishnan, D. Karger, Scott Shenker, Proceedings of the 41st IEEE Conference on Decision and Control,
―DDoS Defense by Offense‖, in Proc. SIGCOMM, 2006. 2002, Vol. 2, pp:1422 – 1427, Dec. 2002.
[37] P. Ferguson, D. Senie, ―Network ingress filtering: Defeating denial of [55] S. Bellovin. ICMP traceback messages, March 2000. Internet Draft:
service attacks which employ IP source address spoofing,‖ in RFC 2267, http://www.cs.columbia.edu/~smb/papers/draft-bellovinitrace-
1998. 00.txt
[38] J. Li, J. Mirkovic, M. Wang, M. Reiher, L. Zhang, ―SAVE: Source [56] D. Darian Muresan, and Thomas W. Parks, ―Orthogonal, Exactly
address validity enforcement protocol‖, in Proc. of INFOCOM, 2001. Periodic Subspace Decomposition,‖ IEEE Trans. On Signal Processing,
[39] R. Stone, ―CenterTrack:An IP overlay network for tracking DoS Vol. 51, No. 9, pp: 2270-2279, Sep. 2003.
floods‖, in Proc. USENIX Security Symposium, 2000. [57] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson,
[40] M. Sung, J. Xu, ―Intelligent Packet Filtering: A Novel Technique for ―Practical network support for ip traceback,‖ in Proceedings of the 2000
defending against DDoS Attacks‖, in IEEE TPDS, 2003. ACM SIGCOMM Conference, Aug. 2000.
[41] A. Yaar, A. Perrig, D. Song, ―Pi: A Path Identification Mechanism to
defend against DDoS Attacks,‖ in Proc. IEEE Symposium on Security
and Privacy, 2003.
[42] A. Yaar, A. Perrig, D. Song, ―StackPi: New Packet Marking Filtering
Mechanisms for DDoS & IP Spoofing Defense‖, in JSAC, pp.1853-
1863, Oct. 2006.
[43] C. Jin, H. Wang, K. G. Shin, ―Hop-Count Filtering: An effective
defense against spoofed DDoS traffic‖, in ACM CCS, 2003.
[44] A. Keromytis, V. Misra, D. Rubenstein, ―SOS: An architecture for
mitigating DDoS attacks‖, in IEEE JSAC, pp. 176-188, Jan. 2004.
[45] Y. Kim, W. Lau, M. Chuah, J. Chao, ―PacketScore: A statistical-based
overload control against DDoS attacks‖, in Proc. IEEE INFOCOM,
2004.
[46] T. Peng, C. Leckie, K. Ramamohanarao, ―Protection from DDoS attacks
using history-based IP filtering‖, in Proc. IEEE ICC, 2003.
[47] J. Ioannidis, S. M. Bellovin, ―Implementing Pushback: Router-based
defense against DDoS attacks‖, in Proc. NDSS, 2002.

148 http://sites.google.com/site/ijcsis/
ISSN 1947-5500