Multimedia Tools and Applications

, Volume 74, Issue 16, pp 6341–6363 | Cite as

A Service-oriented DDoS detection mechanism using pseudo state in a flow router

  • PyungKoo ParkEmail author
  • SeongMin Yoo
  • HoYong Ryu
  • Jaehyung Park
  • Cheol Hong Kim
  • Su-il Choi
  • JaeCheol Ryou


As distributed denial-of-service (DDoS) attacks have caused serious economic and social problems, there have been numerous researches to defend against them. The current DDoS defense system relies on a dedicated security device, which is located in front of the server it is required to protect. To detect DDoS attacks, this security device compares incoming traffic to known attack patterns. Since such a defense mechanism cannot prevent an influx of attack traffic into the network, and every packet must be compared against the known attack patterns, the mechanism often degrades the service. In this paper, we propose the Service-oriented DDoS Detection Mechanism using a Pseudo State (SDM-P), which runs on network devices to defend against DDoS attacks without sacrificing performance in terms of data forwarding. The SDM-P mechanism is suitable for both low- and high-rate attacks. In addition, we verified the performance of the SDM-P mechanism by evaluating its performance using a DDoS attack similar to the one that occurred in Korea and the USA on July 7th, 2009.


Distributed denial-of-service Flow Router Pseudo states 



This research was partly supported by the R&D program of MSIP (Ministry of Science, ICT and Future Planning) [Project No. 10043380], the ITRC (Information Technology Research Center) support program [NIPA-2013-H0301-13-1003] supervised by the NIPA (National IT Industry Promotion Agency) and Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science, and Technology [Grant No. 2012R1A1A4A01004195].


  1. 1.
    BBC News, New ‘cyber attacks’ hit S Korea, 2009-07-09Google Scholar
  2. 2.
    Bellovin SM (2000) ICMP traceback messages. Work in progress, internet draft draftbellovin-itrace-00.txtGoogle Scholar
  3. 3.
    Binstock A (1996) Hashing rehashed: is RAM spped making your hashing less efficient? Dr. Dobb’s J vol. 4, no. 2Google Scholar
  4. 4.
    Black JR Jr., Martel CU, Qi H (1998) Graph and hashing algorithms for modern architectures: Design and performance. In Proceedings of the 2nd Workshop on Algorithm Engineering (WAE’98), Saarbrucken, GermanyGoogle Scholar
  5. 5.
    Broder A, Mitzenmacher M (2001) Using multiple hash functions to improve IP lookups. In Proceedings of the Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE INFOCOM 2001), Anchorage, AKGoogle Scholar
  6. 6.
    Charette C (2011) Distributed denial of service attacks flare up. IEEE spectrumGoogle Scholar
  7. 7.
    Gong C, Sarac K (2008) A more practical approach for single-packet IP traceback using packet logging and marking. IEEE Trans Parallel Distributed Syst 19:1310–1324CrossRefGoogle Scholar
  8. 8.
    Hillier FS, Lieberman GJ (2001) Introduction to operations research, 7th ed. McGraw-Hill Higher EducationGoogle Scholar
  9. 9.
  10. 10.
    Internet Website:
  11. 11.
  12. 12.
    Ioannidis J, Bellovin SM (2002) Implementing pushback: router-based defense against DDoS Attacks. Proc. NDSS’2002Google Scholar
  13. 13.
    Jin C, Wang H, Shin KG (2003) Hop-count filtering: an effective defense against spoofed DDoS Traffic. Proceeding of the 10th ACM Conference on Computer and Communications SecurityGoogle Scholar
  14. 14.
    Kuzmanovic A, Knightly EW (2001) Low-rate TCP-Targeted denial of service attacks and counter strategies. IEEE/ACM Transactions to Improve IP Lookups, INFOCOM 2001. Twentieth,
  15. 15.
    Lau F, Rubin SH, Smith MH, et al. (2000) Distributed denial of service attacks. 2000 IEEE International Conference on Systems, Man, and CyberneticsGoogle Scholar
  16. 16.
    Litwin W (1980) Linear hashing: a new tool for file and table addressing. In proceeding of: Sixth International Conference on Very Large Data Bases, October 1–3, 1980, Montreal, Quebec, Canada, ProceedingsGoogle Scholar
  17. 17.
    Paxson V (2006) End-to-end routing behavior in the internet. IEEE/ACM Transaction on Networking, pp. 601–615Google Scholar
  18. 18.
    Shon T, Kim Y, Lee C, et al (2005) A machine learning framework for network anomaly detection using SVM and GA. The Sixth Annual IEEE SMCGoogle Scholar
  19. 19.
    Tanachaiwiwiat S, Hwang K (2003) Differential packet filtering against DDoS flood attacks. Proc. ACM Conference on Computer and Communications Security (CCS)Google Scholar
  20. 20.
    Waldvogel M, Varghese G, Turner J (1997) Scalable high speed IP routing lookups.
  21. 21.
    Wang H, Zhang D, Shin KG (2002) Detecting SYN Flooding Attacks. INFOCOM 2002. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. Vol 3, 1530–1539Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  • PyungKoo Park
    • 1
    Email author
  • SeongMin Yoo
    • 2
  • HoYong Ryu
    • 1
  • Jaehyung Park
    • 3
  • Cheol Hong Kim
    • 3
  • Su-il Choi
    • 3
  • JaeCheol Ryou
    • 2
  1. 1.Communication Internet Research Lab., Network Software Research SectionElectronics and Telecommunications Research InstituteDaejeonRepublic of Korea
  2. 2.Information Security Lab., Department of Computer EngineeringChungnam National UniversityDaejeonRepublic of Korea
  3. 3.School of Electronics and Computer EngineeringChonnam National UniversityGwangjuRepublic of Korea

Personalised recommendations