Conference Paper

Improved marking model ERPPM tracing back to DDoS attacker

Network Res. Center, Tsinghua Univ., Beijing, China
DOI: 10.1109/ICITA.2005.158 Conference: Information Technology and Applications, 2005. ICITA 2005. Third International Conference on, Volume: 2
Source: IEEE Xplore

ABSTRACT In this paper we present a new model ERPPM for providing traceback information in IP packets, which marking the packet with a dynamic optimal marking probability to ensure that the victim receives all the marked packets with equal probability, which can greatly reduce the number of packets needed to reconstruct the attacking path.

  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper describes a novel DDoS traceback scheme. It aims at the disadvantages of the current schemes, which can not traceback the large-scale DDoS attack with the increasing false positive rate, or which can not traceback the DDoS attack fast from the large number of packets required for reconstruction, or which can not apply in the high-speed Internet because of the high overhead of network and router etc. The proposed scheme maps k hash digests of the router's IP into an m-bit Bloom Filter array. Then the m-bit Bloom Filter array is probabilistically written into the IP header of the passing packet or deterministically accumulated with the marking information in the IP header of the marked packet. If the Bloom Filter array in the marking information is full, the marking information is probabilistically written into another packet with the same source address and same destination address. This scheme has several advantages low false positive rate; fewer packets to reconstruct the attack path; and low computation overhead and storage overhead at the router. It implements the local traceback fast under large-scale DDOS attack in high-speed Internet.
  • [Show abstract] [Hide abstract]
    ABSTRACT: To solve the DoS/DDoS problems efficiently, the first things is to locate the attack origins and then cooperate the filter(s) nearby for dropping abnormal packets in time. The original routers can't provide these functions such as tracking, filtering, and etc. They have to be enhanced with additional functions to defend DoS/DDoS attacks. We refer the enhanced routers as tracers. According to the characteristic, cost and necessity of tracers, three kinds of heterogeneous tracers are selected, namely tunneling-enabled tracers, marking-enabled tracers and filtering-enabled tracers. The tunneling-enabled tracers with the lowest cost can alter the path of the passing packets to destination easily. In this paper, we study how to use tunneling-enabled tracers efficiently to forward packets to the best marking-enabled or filtering-enabled tracer for locating attack origins and filtering abnormal packets in time. Four methods are proposed and compared with the optimal solution. The fourth method with the assistance of marking-enabled tracers has the best performance of protecting network bandwidth by simulation result.