Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet-Marking Scheme for DDoS Attack Prevention

Published byEdward Montgomery Modified over 8 years ago

Similar presentations

Presentation on theme: "Packet-Marking Scheme for DDoS Attack Prevention"— Presentation transcript:

1 Packet-Marking Scheme for DDoS Attack Prevention
K. Stefanidis and D. N. Serpanos University of Patras

2 Introduction DDoS attacks thrive… Detection works most of the times
They cannot be stopped because the sources of the attack are hard to find Unlike most hacking attempts, no response from the victim is required Thus, the source IP address of the attack packets is almost always spoofed Proposed Solutions Ingress filtering Logging Link testing Packet Marking

3 Goals and Assumptions We need to find a way to filter the packets that are part of a DDoS attack Note: Source IP address can be spoofed We need to find a way to distinguish legitimate from attack packets No additional information except from the packet’s contents should be required No additional packets should be required Attacker may generate any packet Attacker knows that he is being traced Attacker knows the traceback scheme Routing is stable most of the time Routers are not compromised Routers are CPU and Memory limited

4 Marking Scheme - Overview
Packets are marked by all the routers along their path Upon arrival, packets carry a distinct mark that denotes their path A path and a distance field compose the mark Routers <XOR> part of their IP address with existing path field They also increase distance field by one

5 Marking Procedure We overload part of the fragmentation fields of the IP header The first router along the path initializes the marking The other routers inject their information Scheme is robust against false markings

6 Filtering and Traceback
Detection/Filtering system can use packet markings instead of source IP address for real time filtering Same markings denote same source network What about different paths? Traceback Use the inverse marking procedure to trace the sources of those packets Recursively “visit” upstream routers until you find a source Requires a map of the upstream routers Computational intensive – Can be done “post mortem”

7 Analysis - Overheads The marking procedure is simple and stateless
It produces no bandwidth overhead The amount of information that has to be stored by the victim is limited One 17bit marking per attack source An updated map of upstream routers (< 10 MB)

8 Analysis - Faults No false negative probability is introduced
False positives exist R is the number of edge routers A is the number of attacking hosts n is the number of bits of the marking

9 Conclusions and Further Work
Identifying the true source of incoming packets is the key problem that has to be solved in order to effectively stop DDoS attacks This marking scheme enables Per packet filtering of attack packets Effective traceback Unlike existing marking schemes It is robust against false markings False positives do not rise as attacking hosts increase No additional packets are required for filtering and traceback purposes

10 Thank you… Any questions?

Download ppt "Packet-Marking Scheme for DDoS Attack Prevention"

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.

Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN-2004. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.

IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
Packet Score: Statistics-based Overload Control against Distributed Denial-of- service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan.

Packet Score: Statistics-based Overload Control against Distributed Denial-of- service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan.
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.

DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Similar presentations

Ads by Google