Browse > Article
http://dx.doi.org/10.3837/tiis.2014.05.013

A pioneer scheme in the detection and defense of DrDoS attack involving spoofed flooding packets  

Kavisankar, L. (Department of Computer science and Engineering, Anna University)
Chellappan, C. (Department of Computer science and Engineering, Anna University)
Sivasankar, P. (Electronics Engineering Department, NITTTR)
Karthi, Ashwin (Department of Computer science and Engineering, Anna University)
Srinivas, Avireddy (Department of Information Technology, Madras Institute of Technology, Anna University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.8, no.5, 2014 , pp. 1726-1743 More about this Journal
Abstract
DDoS (Distributed Denial of Service) has been a continuous threat to the cyber world with the growth in cyber technology. This technical evolution has given rise to a number of ultra-sophisticated ways for the attackers to perform their DDoS attack. In general, the attackers who generate the denial of service, use the vulnerabilities of the TCP. Some of the vulnerabilities like SYN (synchronization) flooding, and IP spoofing are used by the attacker to create these Distributed Reflected Denial of Service (DrDoS) attacks. An attacker, with the assistance of IP spoofing creates a number of attack packets, which reflects the flooded packets to an attacker's intended victim system, known as the primary target. The proposed scheme, Efficient Spoofed Flooding Defense (ESFD) provides two level checks which, consist of probing and non-repudiation, before allocating a service to the clients. The probing is used to determine the availability of the requested client. Non-repudiation is taken care of by the timestamp enabled in the packet, which is our major contribution. The real time experimental results showed the efficiency of our proposed ESFD scheme, by increasing the performance of the CPU up to 40%, the memory up to 52% and the network bandwidth up to 67%. This proves the fact that the proposed ESFD scheme is fast and efficient, negating the impact on the network, victim and primary target.
Keywords
Amplification attack; DDoS; DrDoS; IP Spoofing; SYN spoofing;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Ranjan, R. Swaminathan, M. Uysal and A. Nucci, and E. Knightly, "DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer attacks," IEEE/ACM Transactions on, Networking, vol. 17, no. 1, pp. 2639, February 2009.
2 L. Kavisankar and C. Chellappan, "CNoA: Challenging Number Approach for uncovering TCP SYN flooding using SYN spoofing attack," International Journal of Network Security & Its Applications (IJNSA), vol. 3, no. 5, pp.191-202, 2011.   DOI
3 L. Kavisankar and C. Chellappan, "T-RAP: (TCP Reply Acknowledgement Packet) a Resilient Filtering Model for DDoS Attack with Spoofed IP Address," Communications in Computer and Information Science, vol. 197, pp.138-148, 2011.   DOI
4 MANAnet, "The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network," DDoS White Papers Cs3, Inc, pp.1-5, 2014.
5 Shu Zhang and Partha Dasgupta, "Hardened networks: incremental upgrading of the Internet for attack resilience," in Proc. of The 12th International Conference on Computer Communications and Networks, pp.595-598, Oct 2003.
6 Yaar, Abraham, Adrian Perrig and Dawn Song, "StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense," IEEE Journal on Selected Areas in Communications, vol.24, no. 10, pp. 1853-1863, 2006.   DOI   ScienceOn
7 Feng, Wu-Chang and Ed Kaiser. "System and methods of determining computational puzzle difficulty for challenge-response authentication," U.S. Patent Application 13/050,123, filed March 17, 2011.
8 L. V. Ahn, M. Blum, N. J. Hopper and J. Langford, "CAPTCHA: using hard AI problems for security," in Proc. of 22nd international conference on Theory and applications of cryptographic techniques (EUROCRYPT'03), Eli Biham (Ed.). Springer-Verlag, Berlin, Heidelberg, pp.294-311. 2003.
9 Ma, M., "Mitigating denial of service attacks with password puzzles," Information Technology: Coding and Computing, ITCC, 2005.
10 A. Stavrou, D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra and D. Rubenstein, "Websos: An overlay-based system for protecting web servers from denial of service attacks," the International Journal of Computer and Telecommunications Networking, vol. 48, no.5, pp.781-807, August 2005.
11 A. D. Keromytis, V. Misra and D. Rubenstein, "SOS: Secure Overlay Services," in Proc. of Conference on Applications, technologies, architectures, and protocols for computer communications SIGCOMM'02, vol.32, no.4, pp.61-72, October2002.
12 Nisha H Bhandari., "DDoS Attack Prevention In Cloud Computing Using Hop Count Based Packet Monitoring Approach," International Journal of Advanced and Innovative Research (IJAIR), vol. 2, no.4, 2013, pp.954-956.
13 H. Wang, C. Jin and K. G. Shin, "Defense Against Spoofed IP Traffic Using Hop-Count Filtering," IEEE/ACM Transactions on Networking, vol. 15, no. 1, pp.40-53, February 2007.   DOI   ScienceOn
14 M. H. Sqalli, F. Al-Haidari and K. Salah, "EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing," Fourth IEEE International Conference on Utility and Cloud Computing, pp.49-56, 2011.
15 J. Mirkovic and P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Computer Communications Review, vol. 34, no. 2, pp. 39-53, April 2004.
16 R. K. C. Chang, "Defending against flooding-based distributed denial of service attacks: A tutorial," Computer J. IEEE Commun. Magazine, vol. 40, no. 10, pp. 42-51, 2002.
17 Toby Ehrenkranz, Jun Li, "On the state of IP spoofing defense," ACM Transactions on Internet Technology (TOIT), vol. 9, no. 2, pp.6:1-6:29, 2009.
18 C. Douligeris and A. Mitrokotsa, "DDoS attacks and defense mechanisms: classification and state-of-the-art," Computer Networks, vol. 44, no. 5, pp. 643-666, April 2004.
19 Saman Taghavi Zargar, James Joshi and David Tipper, "A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks," IEEE Communications Surveys & Tutorials, vol. 15, no. 4, 2013.
20 T. Peng, C. Leckie and K. Ramamohanarao, "Survey of network-based defense mechanisms countering the DoS and DDoS problems," ACM Computer Survey, vol. 39, no. 1, April 2007.
21 Noureldien A. Noureldien and Mashair O. Hussein, " Block Spoofed Packets at Source (BSPS): A method for Detecting and Preventing All Types of Spoofed Source IP Packets and SYN Flooding Packets at Source: A Theoretical Framework," International Journal of Networks and Communications, vol. 2, no. 3, pp. 33-37, 2012.   DOI
22 T. M. Gil and M. Poleto, "MULTOPS: a data-structure for bandwidth attack detection," in Proc. of 10th Usenix Security Symposium, Washington, DC, pp. 2338, August 13-17, 2001.
23 P. Ferguson and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," RFC 2267, 2000.
24 J. Mirkovic, G. Prier, and P. Reiher, "Attacking DDoS at the Source," in Proc. of 10th IEEE International Conference on Network Protocols (ICNP'02), Washington DC, USA, 2002.
25 J. Mirkovic, G. Prier and P. Reihe, "Source-End DDoS Defense," in Proc. of 2nd IEEE International Symposium on Network Computing and Applications, April 2003.