Skip to main content
SpringerLink
Log in

Safeguard Information Infrastructure Against DDoS Attacks: Experiments and Modeling

  • Conference paper
Cryptology and Network Security (CANS 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3810))

Included in the following conference series:

  • 853 Accesses

Abstract

Nowadays Distributed Denial of Service (DDoS) attacks have made one of the most serious threats to the information infrastructure. In this paper we firstly present a new filtering approach, Mark-Aided Distributed Filtering (MADF), which is to find the network anomalies by using a back-propagation neural network, deploy the defense system at distributed routers, identify and filtering the attack packets before they can reach the victim; and secondly propose an analytical model for the interactions between DDoS attack party and defense party, which allows us to have a deep insight of the interactions between the attack and defense parties. According to the experimental results, we find that MADF can detect and filter DDoS attack packets with high sensitivity and accuracy, thus provide high legitimate traffic throughput and low attack traffic throughput. Through the comparison between experiments and numerical results, we also demonstrate the validity of the analytical model that can precisely estimate the effectiveness of a DDoS defense system before it encounters different attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ferguson, P., Senie, D.: Rfc 2267 - network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. Technical report, Network Working Group (1998)

    Google Scholar 

  2. Aljifri, H.: Ip traceback: A new denial-of-service deterrent? IEEE Security & Privacy 1, 24–31 (2003)

    Article  Google Scholar 

  3. Floyd, S., Jacobson, V.: Random early detection gateways for congestion avoidance. IEEE/ACM Transactions on Networking 1, 397–413 (1993)

    Article  Google Scholar 

  4. Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for ip traceback. ACM/IEEE Transactions on Networking 9, 226–237 (2001)

    Article  Google Scholar 

  5. Belenky, A., Ansari, N.: Ip traceback with deterministic packet marking. IEEE Communications Letters 7, 162–164 (2003)

    Article  Google Scholar 

  6. Xiang, Y., Zhou, W., Rough, J.: Trace ip packets by flexible deterministic packet marking (fdpm). In: IEEE International Workshop on IP Operations & Management, IPOM 2004 (2004)

    Google Scholar 

  7. Mller, B., Reinhardt, J., Strickland, M.: Neural Networks: An Introduction, 2nd edn. Springer, Heidelberg (1995)

    Google Scholar 

  8. Haykin, S.: Neural Networks: A Comprehensive Foundation, 2nd edn. Prentice-Hall, Englewood Cliffs (1998)

    Google Scholar 

  9. Bernardo, J.M., Smith, A.F.M.: Bayesian Theory. John Wiley and Sons, England (1994)

    Book  MATH  Google Scholar 

  10. Mukkamala, S., Sung, A.H.: Detecting denial of service attacks using support vector machines. In: The IEEE International Conference on Fuzzy Systems, pp. 1231–1236 (2003)

    Google Scholar 

  11. SSFNet: Scalable simulation framework, http://www.ssfnet.org

  12. Chen, R.C., Shi, W., Zhou, W.: Simulation of distributed denial of service attacks. Technical report, School of Information Technology, Deakin University, Australia (2004)

    Google Scholar 

  13. Skitter: Skitter project, cooperative association for internet data analysis (caida), http://www.caida.org/tools/measurement/skitter/

  14. Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against ddos attacks. In: 2003 IEEE Symposium on Security and Privacy, pp. 93–107 (2003)

    Google Scholar 

  15. Sung, M., Xu, J.: Ip traceback-based intelligent packet filtering: A novel technique for defending against internet ddos attacks. IEEE Transactions on Parallel and Distributed Systems 14, 861–872 (2003)

    Article  Google Scholar 

  16. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5, 438–457 (2002)

    Article  Google Scholar 

  17. Lanchester, F.W.: Mathematics in warfare. The World of Mathematics 4, 2138–2157 (1956)

    Google Scholar 

  18. Gil, T.M., Poletto, M.: Multops: a data-structure for bandwidth attack detection. In: 10th Usenix Security Symposium, pp. 23–38 (2001)

    Google Scholar 

  19. Pollak, M.: Optimal detection of a change in distribution. Ann. Statist. 13, 206–227 (1986)

    Article  MathSciNet  Google Scholar 

  20. Wang, H., Zhang, D., Shin, K.G.: Change-point monitoring for the detection of dos attacks. IEEE Transactions on Dependable and Secure Computing 1, 193–208 (2004)

    Article  Google Scholar 

  21. Jin, S., Yeung, D.S.: A covariance analysis model for ddos attack detection. In: IEEE International Conference on Communications (ICC 2004), vol. 4, pp. 1882–1886 (2004)

    Google Scholar 

  22. Allen, W.H., Marin, G.A.: The loss technique for detecting new denial of service attacks. In: IEEE SoutheastCon 2004, pp. 302–309 (2004)

    Google Scholar 

  23. Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed dos attack prevention in power-law internet. In: ACM SIGCOMM 2001, pp. 15–26 (2001)

    Google Scholar 

  24. Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: An effective defense against spoofed ddos traffic. In: 10th ACM Conference on Computer and Communication Security (CCS 2003), pp. 30–41 (2003)

    Google Scholar 

  25. Hu, Y.H., Choi, H., Choi, H.A.: Packet filtering for congestion control under dos attacks. In: 2nd IEEE International Information Assurance Workshop (IWIA 2004), pp. 3–18 (2004)

    Google Scholar 

  26. Mahajan, R., Bellovin, S.M., Floyd, S.: Controlling high bandwidth aggregates in the network. Computer Communications Review 32, 62–73 (2002)

    Article  Google Scholar 

  27. Kong, J., Mirza, M., Shu, J., Yoedhana, C., Gerla, M., Lu, S.: Random flow network modeling and simulations for ddos attack mitigation. In: IEEE International Conference on Communications (ICC 2003), vol. 1, pp. 487–491 (2003)

    Google Scholar 

  28. Blackert, W.J., Gregg, D.M., Castner, A.K., Kyle, E.M., Hom, R.L., Jokerst, R.M.: Analyzing interaction between distributed denial of service attacks and mitigation technologies. In: DARPA Information Survivability Conference and Exposition, DISCEX 2003 (2003)

    Google Scholar 

  29. Maconachy, W.V., Schou, C.D., Ragsdale, D., Welch, D.: A model for information assurance: An integrated approach. In: The 2001 IEEE Workshop on Information Assurance and Security (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Information Technology, Deakin University, 221 Burwood Highway, Vic, 3125, Australia

    Yang Xiang & Wanlei Zhou

Authors
  1. Yang Xiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wanlei Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University College London,  

    Yvo G. Desmedt

  2. Centre for Advanced Computing - Algorithms and Cryptography Department of Computing, Macquarie University, Australia

    Huaxiong Wang

  3. Centre for Computer and Information Security Research School of Computer Science and Software Engineering, University of Wollongong, Australia

    Yi Mu

  4. Fujian Normal University, 350007, Fuzhou, Fujian, China

    Yongqing Li

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Xiang, Y., Zhou, W. (2005). Safeguard Information Infrastructure Against DDoS Attacks: Experiments and Modeling. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds) Cryptology and Network Security. CANS 2005. Lecture Notes in Computer Science, vol 3810. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11599371_26

Download citation

  • DOI: https://doi.org/10.1007/11599371_26

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-30849-2

  • Online ISBN: 978-3-540-32298-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation