Download presentation
Presentation is loading. Please wait.
Published byEdward Montgomery Modified over 9 years ago
1
Packet-Marking Scheme for DDoS Attack Prevention
K. Stefanidis and D. N. Serpanos University of Patras
2
Introduction DDoS attacks thrive… Detection works most of the times
They cannot be stopped because the sources of the attack are hard to find Unlike most hacking attempts, no response from the victim is required Thus, the source IP address of the attack packets is almost always spoofed Proposed Solutions Ingress filtering Logging Link testing Packet Marking
3
Goals and Assumptions We need to find a way to filter the packets that are part of a DDoS attack Note: Source IP address can be spoofed We need to find a way to distinguish legitimate from attack packets No additional information except from the packet’s contents should be required No additional packets should be required Attacker may generate any packet Attacker knows that he is being traced Attacker knows the traceback scheme Routing is stable most of the time Routers are not compromised Routers are CPU and Memory limited
4
Marking Scheme - Overview
Packets are marked by all the routers along their path Upon arrival, packets carry a distinct mark that denotes their path A path and a distance field compose the mark Routers <XOR> part of their IP address with existing path field They also increase distance field by one
5
Marking Procedure We overload part of the fragmentation fields of the IP header The first router along the path initializes the marking The other routers inject their information Scheme is robust against false markings
6
Filtering and Traceback
Detection/Filtering system can use packet markings instead of source IP address for real time filtering Same markings denote same source network What about different paths? Traceback Use the inverse marking procedure to trace the sources of those packets Recursively “visit” upstream routers until you find a source Requires a map of the upstream routers Computational intensive – Can be done “post mortem”
7
Analysis - Overheads The marking procedure is simple and stateless
It produces no bandwidth overhead The amount of information that has to be stored by the victim is limited One 17bit marking per attack source An updated map of upstream routers (< 10 MB)
8
Analysis - Faults No false negative probability is introduced
False positives exist R is the number of edge routers A is the number of attacking hosts n is the number of bits of the marking
9
Conclusions and Further Work
Identifying the true source of incoming packets is the key problem that has to be solved in order to effectively stop DDoS attacks This marking scheme enables Per packet filtering of attack packets Effective traceback Unlike existing marking schemes It is robust against false markings False positives do not rise as attacking hosts increase No additional packets are required for filtering and traceback purposes
10
Thank you… Any questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.