Abstract
Distributed Denial-of-Service (DDoS) attack has been identified as one of the most serious threats to Internet services. The attack denies service to legitimate users by flooding and consuming network resources of the target server. We propose a distributed defense mechanism that filters out malicious traffic and allows significant legitimate traffic during an actual attack. We investigate the features of network traffic that can be used to do such filtration and describe a history-based profiling algorithm to identify legitimate traffic. We use Bloom filters to efficiently implement the history-based profile model, which serves to reduce the communication and computation costs. To further improve communication and computation costs, we describe two optimizations: (a) using only three octets of the IP address to generate the history profile, and (b) a data structure called Compacted Bloom Filter, which is a modified version of a regular Bloom filter. We use these notions as building blocks to describe a distributed framework called Collaborative Filtering for filtering attack traffic as far away as possible from the target server. The proposed techniques identify a set of nodes that are best suited for filtering attack traffic, and places the Bloom filters in these locations. The approach is evaluated on different real-world data sets from Auckland University, CAIDA, and Colorado State University. Under different experimental settings, we demonstrate that 70–95% attack traffic can be filtered by our approach while allowing the flow of a similar percentage of legitimate traffic.
An earlier version of this work appeared in [1]. This work was partially supported by NSF I/UCRC Award Number 1650573 and funding from CableLabs. The views and conclusions contained in this document are those of the authors and should not be automatically interpreted as representing the official policies, either expressed or implied of NSF, CableLabs, Furuno Electric Company, SecureNok, and AFRL.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Mosharraf, N., Jayasumana, A.P., Ray, I.: Using a history-based profile to detect and respond to DDoS attacks. In: Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017) - Volume 4: SECRYPT, pp. 175–186 (2017)
Steinberger, J., Sperotto, A., Baier, H.: Collaborative attack mitigation and response: a survey. In: IFIP/IEEE International Symposium on IM, pp. 910–913 (2005)
Munivara Prasad, K., Rama Mohan Reddy, A., Venugopal Rao, K.: DoS and DDoS attacks: defense, detection and traceback mechanisms - a survey. J. JCST 14, 15–32 (2014)
Gil, T.M., Poletto, T.: MULTOPS: a data-structure for bandwidth attack detection. In: Proceedings of USENIX Security Symposium (2001)
Waikato Applied Network Dynamics Research Group: Auckland University data traces (2016). http://wand.cs.waikato.ac.nz/wand/wits/. Accessed 12 Mar 2016
Schwartz, M.J.: DDoS attack hits 400 Gbit/s, breaks record (2014). http://www.darkreading.com/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787. Accessed 2 Nov 2014
https://www.tripwire.com/state-of-security/featured/5-notable-ddos-attacks-2017/
DDoS incident report (2018). Accessed 04 Apr 2018
Chen, Y., Hwang, K., Ku, W.S.: Collaborative detection of DDoS attacks over multiple network domains. IEEE Trans. Parallel Distrib. Syst. 18, 1649–1662 (2007)
Chen, C., Park, J.M.: Attack diagnosis: throttling distributed denial-of-service attacks close to the attack sources. In: Proceedings of IEEE ICCCN, pp. 275–280 (2005)
(2018). Accessed 1 Apr 2018
Yaar, Y., Perrig, A., Song, D.: Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of IEEE S&P, pp. 93–107 (2003)
Wang, H., Jin, C., Shin, K.: Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15, 40–53 (2007)
Kim, Y., Lau, W., Chuah, M., et al.: PacketScore: statistics-based overload control against distributed denial of service attacks. In: Proceedings of INFOCOM, pp. 141–155 (2004)
Ioannidis, J., Bellovin, S.: Implementing pushback: router-based defense against DDoS attacks. In: Proceedings of NDSS (2002)
Mirkovic, J., Prier, G., Reiher, P.L.: Attacking DDoS at the source. In: Proceedings of IEEE ICNP, pp. 312–321 (2002)
Mahajan, R., Bellovin, S.M., Floyd, S., et al.: Controlling high bandwidth aggregates in the network. ACM SIGCOMM 32, 62–73 (2002)
Papadopoulos, C., Lindell, R., Mehringer, J., et al.: COSSACK: coordinated suppression of simultaneous attacks. In: Proceedings of Discex III, pp. 94–96 (2003)
Francois, J., Aib, I., Boutaba, R.: FireCol: a collaborative protection network for the detection of flooding DDoS attacks. IEEE/ACM Trans. Netw. 20, 1828–1841 (2012)
Aghaei Foroushani, Z.H.: TDFA: traceback-based defense against DDoS flooding attacks. In: Proceedings of AINA IEEE, pp. 710–715 (2014)
Luo, H., Chen, Z., Li, J., Vasilakos, A.V.: Preventing distributed denial-of-service flooding attacks with dynamic path identifiers. IEEE Trans. Inf. Forensics Secur. 12, 1801–1815 (2017)
Hameed, S., Khan, H.A.: SDN based collaborative scheme for mitigation of DDoS attacks. Future Internet 10, 23 (2018)
Sung, M., Xu, J.: IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks. IEEE Trans. Parallel Distrib. Syst. 14, 861–872 (2003)
Yaar, Y., Perrig, A., Song, D.: SIFF: a stateless internet flow filter to mitigate DDoS flooding attacks. In: Proceedings of IEEE S&P, pp. 130–143 (2004)
Peng, T., Leckie, C., Ramamohanarao, K.: Detecting distributed denial of service attacks using source IP address monitoring. In: Proceedings of NETWORKS (2004)
Wang, H., Zhang, D., Shin, K.: Change-Point monitoring for the detection of DoS attacks. IEEE Trans. Dependable Secure Comput. 1, 193–208 (2004)
Manikopoulos, C., Papavassiliou, S.: Network intrusion and fault detection: a statistical anomaly approach. IEEE Commun. Mag. 40, 76–82 (2002)
Noh, S., Jung, G., Choi, K., et al.: Compiling network traffic into rules using soft computing methods for the detection of flooding attacks. J. Appl. Soft Comput. 8, 1200–1210 (2008)
Mirkovic, J., Reiher, P.: D-WARD: a source-end defense against flooding denial-of-service attacks. IEEE Trans. Dependable Secure Comput. 2, 216–232 (2005)
Wang, H., Zhang, D., Shin, K.: Detecting SYN flooding attacks. In: Proceedings of IEEE INFOCOM, pp. 530–1539 (2002)
Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attack using history-based IP filtering. In: Proceedings of IEEE ICC, pp. 482–486 (2003)
Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39, 1–42 (2007)
RioRey Inc.: Taxonomy DDoS attacks (2012). http://www.riorey.com/xresources/2012/RioRe. Accessed 24 Dec 2015
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of WWW Conference, pp. 293–304 (2002)
Lee, K., Kim, J., Kwon, K.H., et al.: DDoS attack detection method using cluster analysis. Expert Syst. Appl. 34, 1659–1665 (2007)
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)
(JDSU)
Melander, B., Bjorkman, M., Gunningberg, P.: A new end-to-end probing and analysis method for estimating bandwidth bottlenecks. In: Global Telecommunications Conference, GLOBECOM 2000, vol. 1, pp. 415–420. IEEE (2000)
IMPACT Cyber Trust: Colorado state university dataset: FRGPContinuousFlowData (2015). Accessed 26 Oct 2016
Center for Applied Internet Data Analysis: The CAIDA “DDoS Attack 2007” dataset (2007). http://www.caida.org/data/passive/ddos-20070804-dataset.xml. Accessed 7 May 2016
(1998, D.I.D.D.)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Mosharraf, N., Jayasumana, A.P., Ray, I., Bezawada, B. (2019). History-Based Throttling of Distributed Denial-of-Service Attacks. In: Obaidat, M., Cabello, E. (eds) E-Business and Telecommunications. ICETE 2017. Communications in Computer and Information Science, vol 990. Springer, Cham. https://doi.org/10.1007/978-3-030-11039-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-11039-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-11038-3
Online ISBN: 978-3-030-11039-0
eBook Packages: Computer ScienceComputer Science (R0)