Abstract
Nowadays Distributed Denial of Service (DDoS) attacks have made one of the most serious threats to the information infrastructure. In this paper we firstly present a new filtering approach, Mark-Aided Distributed Filtering (MADF), which is to find the network anomalies by using a back-propagation neural network, deploy the defense system at distributed routers, identify and filtering the attack packets before they can reach the victim; and secondly propose an analytical model for the interactions between DDoS attack party and defense party, which allows us to have a deep insight of the interactions between the attack and defense parties. According to the experimental results, we find that MADF can detect and filter DDoS attack packets with high sensitivity and accuracy, thus provide high legitimate traffic throughput and low attack traffic throughput. Through the comparison between experiments and numerical results, we also demonstrate the validity of the analytical model that can precisely estimate the effectiveness of a DDoS defense system before it encounters different attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ferguson, P., Senie, D.: Rfc 2267 - network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. Technical report, Network Working Group (1998)
Aljifri, H.: Ip traceback: A new denial-of-service deterrent? IEEE Security & Privacy 1, 24–31 (2003)
Floyd, S., Jacobson, V.: Random early detection gateways for congestion avoidance. IEEE/ACM Transactions on Networking 1, 397–413 (1993)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for ip traceback. ACM/IEEE Transactions on Networking 9, 226–237 (2001)
Belenky, A., Ansari, N.: Ip traceback with deterministic packet marking. IEEE Communications Letters 7, 162–164 (2003)
Xiang, Y., Zhou, W., Rough, J.: Trace ip packets by flexible deterministic packet marking (fdpm). In: IEEE International Workshop on IP Operations & Management, IPOM 2004 (2004)
Mller, B., Reinhardt, J., Strickland, M.: Neural Networks: An Introduction, 2nd edn. Springer, Heidelberg (1995)
Haykin, S.: Neural Networks: A Comprehensive Foundation, 2nd edn. Prentice-Hall, Englewood Cliffs (1998)
Bernardo, J.M., Smith, A.F.M.: Bayesian Theory. John Wiley and Sons, England (1994)
Mukkamala, S., Sung, A.H.: Detecting denial of service attacks using support vector machines. In: The IEEE International Conference on Fuzzy Systems, pp. 1231–1236 (2003)
SSFNet: Scalable simulation framework, http://www.ssfnet.org
Chen, R.C., Shi, W., Zhou, W.: Simulation of distributed denial of service attacks. Technical report, School of Information Technology, Deakin University, Australia (2004)
Skitter: Skitter project, cooperative association for internet data analysis (caida), http://www.caida.org/tools/measurement/skitter/
Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against ddos attacks. In: 2003 IEEE Symposium on Security and Privacy, pp. 93–107 (2003)
Sung, M., Xu, J.: Ip traceback-based intelligent packet filtering: A novel technique for defending against internet ddos attacks. IEEE Transactions on Parallel and Distributed Systems 14, 861–872 (2003)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5, 438–457 (2002)
Lanchester, F.W.: Mathematics in warfare. The World of Mathematics 4, 2138–2157 (1956)
Gil, T.M., Poletto, M.: Multops: a data-structure for bandwidth attack detection. In: 10th Usenix Security Symposium, pp. 23–38 (2001)
Pollak, M.: Optimal detection of a change in distribution. Ann. Statist. 13, 206–227 (1986)
Wang, H., Zhang, D., Shin, K.G.: Change-point monitoring for the detection of dos attacks. IEEE Transactions on Dependable and Secure Computing 1, 193–208 (2004)
Jin, S., Yeung, D.S.: A covariance analysis model for ddos attack detection. In: IEEE International Conference on Communications (ICC 2004), vol. 4, pp. 1882–1886 (2004)
Allen, W.H., Marin, G.A.: The loss technique for detecting new denial of service attacks. In: IEEE SoutheastCon 2004, pp. 302–309 (2004)
Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed dos attack prevention in power-law internet. In: ACM SIGCOMM 2001, pp. 15–26 (2001)
Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: An effective defense against spoofed ddos traffic. In: 10th ACM Conference on Computer and Communication Security (CCS 2003), pp. 30–41 (2003)
Hu, Y.H., Choi, H., Choi, H.A.: Packet filtering for congestion control under dos attacks. In: 2nd IEEE International Information Assurance Workshop (IWIA 2004), pp. 3–18 (2004)
Mahajan, R., Bellovin, S.M., Floyd, S.: Controlling high bandwidth aggregates in the network. Computer Communications Review 32, 62–73 (2002)
Kong, J., Mirza, M., Shu, J., Yoedhana, C., Gerla, M., Lu, S.: Random flow network modeling and simulations for ddos attack mitigation. In: IEEE International Conference on Communications (ICC 2003), vol. 1, pp. 487–491 (2003)
Blackert, W.J., Gregg, D.M., Castner, A.K., Kyle, E.M., Hom, R.L., Jokerst, R.M.: Analyzing interaction between distributed denial of service attacks and mitigation technologies. In: DARPA Information Survivability Conference and Exposition, DISCEX 2003 (2003)
Maconachy, W.V., Schou, C.D., Ragsdale, D., Welch, D.: A model for information assurance: An integrated approach. In: The 2001 IEEE Workshop on Information Assurance and Security (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xiang, Y., Zhou, W. (2005). Safeguard Information Infrastructure Against DDoS Attacks: Experiments and Modeling. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds) Cryptology and Network Security. CANS 2005. Lecture Notes in Computer Science, vol 3810. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11599371_26
Download citation
DOI: https://doi.org/10.1007/11599371_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30849-2
Online ISBN: 978-3-540-32298-6
eBook Packages: Computer ScienceComputer Science (R0)