Defending against spoofed DDoS attacks with path fingerprint

Lee, Fu-Yuan; Shieh, Shiuh-Pyng

doi:10.1016/j.cose.2005.03.005

Cited by 33 publications

(7 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…So the victim can execute proper operations (accept or discard) to received packets on a per packet basis. But there is only a 16-bit ID field in the IP header that can be used to carry the information, which is first proposed by Savage et al [5] and then widely accepted by other researchers [6] [7] [8] [10] [11]. This means schemes that make use of the IP ID field can only distinguish no more than 65,536 different paths.…”

Section: A the Basic Idea Of Hpimentioning

confidence: 98%

“…With DBM, similar to Pi, all the packets originating from the same location upon arriving at a destination have a common path signature. Lee et al [11] proposed the ANTID scheme. It use a distance filed to enhance differentiation effects for different paths.…”

Section: Related Workmentioning

confidence: 99%

“…Previous Pi-like marking schemes suggest each router marks 1 or 2 bits in each packet it forwards [7] [8] while ANTID suggest routers contribute 11-bit information in packet marking [11]. In consideration of making full use of the IP ID field even though there is only one router along the path, the basic idea of HPi is that each router hashes the last 16 bits of the MD5 cryptographic hash of its IP address into the IP ID field of each packet it forwards to generate an identifier that indicates the path a packet has traversed.…”

Section: A the Basic Idea Of Hpimentioning

confidence: 99%

See 2 more Smart Citations

A Hash-Based Path Identification Scheme for DDoS Attacks Defense

Jin

Zhang

et al. 2009

2009 Ninth IEEE International Conference on Computer and Information Technology

View full text Add to dashboard Cite

Distributed Denial of Service (DDoS) attacks pose a major threat to today's cyber security. Defense against these attacks is complicated by source IP address spoofing, which is exploited by attackers to conceal source IP addresses and localities of malicious traffic. In this paper, we propose HPi (Hash-based Path Identification), a novel packet marking scheme to defeat DDoS attacks regardless of forged IP addresses. Our scheme makes full use of a packet's 16-bit IP Identification field to generate a unique identifier corresponding to a path the packet traverses. Each router along the path hashes the last 16 bits of its IP address into the IP Identification field. Thus the victim can identify every single received packet as legitimate or malicious on a per packet basis with high accuracy. And we develop different filtering strategies for victim servers with different capabilities. We also propose a new packet filtering mechanism, the HPi2HC filter, for the victim to distinguish between legitimate and malicious packets more accurately based on tuple of each packet. Simulation results show that the performance of our scheme is still quite promising even when only half of the routers in the network participate in packet marking. The HPi scheme is also lightweight, supporting incremental deployment, and is robust against randomly initial values in IP Identification field forged by sophisticated attackers.

show abstract

Section: A the Basic Idea Of Hpimentioning

confidence: 98%

Section: Related Workmentioning

confidence: 99%

Section: A the Basic Idea Of Hpimentioning

confidence: 99%

See 1 more Smart Citation

A Hash-Based Path Identification Scheme for DDoS Attacks Defense

Jin

Zhang

et al. 2009

2009 Ninth IEEE International Conference on Computer and Information Technology

View full text Add to dashboard Cite

show abstract

“…The Dynamic Path Identification mechanism, proposed by Lee et al [8], suggests a router decide the marking bit size dynamically in accordance with the Time-toLive (TTL). Lee et al [9] proposed the ANTID scheme. It uses a distance filed to enhance differentiation effects for different paths.…”

Section: Related Workmentioning

confidence: 99%

A Pi2HC mechanism against DDoS attacks

Jin

Zhang

et al. 2008

2008 Third International Conference on Communications and Networking in China

View full text Add to dashboard Cite

Distributed Denial of Service (DDoS) attacks pose a major threat to today's cyber security. Defense against these attacks is complicated by source IP address spoofing. The Path Identification (Pi) mechanism is a promising technique to defend against DDoS attacks with IP spoofing. In the Pi scheme, each router marks forwarding packets to generate particular identifiers corresponding to different paths, which can be used to distinguish between malicious packets and legitimate ones. To improve the previous Pi scheme, we suggest that the victim record not only the Pi mark of each packet but also its hop count (HC). Thus the victim can use the tuple to identify and discard malicious packets instead of Pi more effectively. By theoretical analysis and simulations based on actual Internet topologies, we demonstrate our scheme, Pi2HC, outperforms previous Pi. We also show that Pi2HC is robust against spoofed initial Time-to-Live (TTL) values by sophisticated attackers.

show abstract

“…A correct node identification is critical, and the lack of control on it could yield to vulnerabilities in the replication process, ID spoofing, and DoS attacks (or DDOS, against which a solution such as that proposed in [6] can be applied). An example is the problem of churn, which involves a large number of potentially malicious peers in the P2P system to certify the peers identities.…”

Section: Identification Vs Anonymitymentioning

confidence: 99%

Security in P2P Networks: Survey and Research Directions

Palomar

Tapiador

Hernández-Castro

et al. 2006

Emerging Directions in Embedded and Ubiquitous Computing

View full text Add to dashboard Cite

Abstract.A fundamental feature of Peer-to-Peer (P2P) networks is the honest collaboration among an heterogeneous community of participants. After Napster success -the first P2P file sharing application massively used-, advances in this area have been intense, with the proposal of many new architectures and applications for content and computing sharing, and collaborative working environments. However, the inherent differences between the P2P model and the classic client-server paradigm cause that many security solutions developed for the latter are not applicable or, in the best case, have to be carefully adapted. In this paper, we present a survey on security issues in P2P networks, providing a comparative analysis of existing solutions and identifying directions for future research.

show abstract

Defending against spoofed DDoS attacks with path fingerprint

Cited by 33 publications

References 8 publications

A Hash-Based Path Identification Scheme for DDoS Attacks Defense

A Hash-Based Path Identification Scheme for DDoS Attacks Defense

A Pi2HC mechanism against DDoS attacks

Security in P2P Networks: Survey and Research Directions

Contact Info

Product

Resources

About