7
Research Article
Robust Execution Of Packet Flow In Routers To Prevent Ddos
Attack Using Trace Back
N.Kavitha1, S,Krishnanev[2, S.Naveen Prasad3 , N.Giridharan4 1,2,3 Department of Computer Science and Engineering,
K.S.Rangasamy College of Technology,India.
4Assistant Professor, Department of Computer Science and Engineering, K.S.Rangasamy College of Technology, India.
Received 4 January 2016; Accepted 30 January 2016
Abstract- Distributed Denial of Service (DDoS) attacks are a major threat to the Internet. However, the store makes less feature of Internet routing mechanisms it extremely difficult to trace back to the source of these attacks. As a result, there is no effective and efficient method to examine this issue so far. In this project a new traceback method for DDoS attacks is proposed, based on the entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used package labeling techniques. It is an extraordinary challenge, the source of Distributed Denial of Service (DDoS) attacks on the Internet to trace back. In DDoS attacks, attackers create a large number of questions to the victim through compromised computers (zombies) to deny with the aim of normal service or degrading the quality of services.In compared to DDoS traceback methods exist, has the strategy proposed a number of advantages-it is the memory of non-intensive, efficient scalable, robust package pollution and regardless of attack traffic pattern. The results extensive experimental and simulation studies will show to illustrate the efficiency and effectiveness of the proposed method. The proposed strategy is fundamentally different from the existing PPM (probabilistic packet marking) or DPM (deterministic packet marking) tracing mechanisms, and it exceeds the available PPM and DPM methods. Due to this significant change overcomes the proposed strategy inherited disadvantages of package labeling methods such as limited scalability, high demands on space and susceptibility to package contamination. The implementation of the proposed method does not bring any changes to the current routing software. Both PPM and DPM require upgrade to the existing routing software, which is extremely hard to achieve over the internet. On the other hand, the proposed method can be independent as an additional module on routers to monitor and record flow information, work and communicate with its upstream and downstream routers when the pushback procedure performed.
8
1.INTRODUCTION
It is an extraordinary challenge, the source of Distributed Denial of Service (DDoS) attacks on the Internet to trace back. In DDoS attacks, generate attacker a large number of questions to the victim through compromised computers (zombies) to deny with the aim of normal operation or degrading the quality of services. It has been a great threat to the Internet since 2000, and a recent survey [1] on the largest 70 Internet operators shown in the world that DDoS attacks increase dramatically, and individual attacks are strong and demanding. In addition, the survey also revealed that the peak of 40 Gigabit DDoS attacks nearly doubled in 2008 compared to last year. The main reason behind this phenomenon is that the network security community does not effectively and efficiently must tracing methods make attacker locate as it is easy for attackers to disguise themselves by taking advantage of the vulnerability of the World Wide Web, such as dynamic, stateless and anonymity the Internet [2], [3]. IP Back tracking means the ability to identify the actual source of each data packet transmitted via the Internet. Because of the sensitivity of the original design of the Internet, we can not be able to find the actual hacker currently. In fact, successful traceability systems IP are considered when the zombies from which the Internet can identify packages entered the DDoS attack.
Research on DDoS detection, mitigation and filtering was performed pervasively. However, the efforts on IP traceback limited.A are number of IP traceback approaches have been proposed attacker to identify and there are two main methods for IP traceback, the probability of packet marking (PPM) and the deterministic packet marking (DPM). Both
strategies require router marks in individual packets to inject. Moreover (ISP network) can operate the PPM strategy only in a local area of the Internet, where the defender has to manage the authority. However, this type of ISP networks generally quite small, and it can not on the attack sources from the ISP network is back tracking. The DPM strategy requires all Internet routers for packet marking to be updated. But with only 25 spare bits in the IP packet, the scalability of DPM is a big problem. In addition, the DPM mechanism an extraordinary challenge of memory for packet logging for routers. Therefore, it is currently not feasible in practice. Further, both the PPM and DPM are vulnerable to hackers, referred to as a package contamination.
IP traceback methods should be
independent of the package contamination and different attack patterns. The new approach compares the packet number distributions of packet streams resulting from the control of the attacker when the attack is launched, and it is determined that the similarity of the attack flows, is much higher than the similarity between legitimate streams, such as flash crowds. Entropy entropy growth rate than the length was an increasing stochastic sequence used to find the similarity between two streams on the entropy growth pattern, and the relative entropy, an abstract distance between two probability mass distributions was made to the immediate measurement difference between two streams. This work proposes a new mechanism for IP traceback information theoretical parameters, and there is no packet in the strategy proposed labeling; Therefore, to avoid the inherited weaknesses of the package labeling mechanisms. The packets are categorized; that through a router in flows past that are defined by the upstream
9
router where a packet came from, and the destination address of the packet. While nonaggression periods routers are required to observe entropy variations of the local currents and recorded. In this work, entropy flow variation or entropy variation used interchangeably. Once a DDoS attack has been identified, directs the victim the following pushback method to identify the locations of zombies: the victims are first identified tree in an attack on the flow, the variations entropy has accumulated there from its upstream router based , and then requests submitted to the associated immediate upstream routers. The upstream router identify where the attack came currents due to their local entropy variations that they have monitored. Once the immediate upstream router have identified the attack rivers, they will forward the demands on their immediate upstream router or identify the attackers sources further;
This process is repeated in a parallel and distributed manner to the attack source (s) or the discrimination is satisfied boundary between attack flows and legitimate flows
reached. The proposed strategy is
fundamentally different from existing PPM or DPM tracing mechanisms, and it exceeds the available PPM and DPM methods. Due to this significant change overcomes the proposed strategy inherited disadvantages of package labeling methods such as limited scalability, high demands on space and susceptibility to package contamination. The implementation of the proposed method does not bring any changes to the current routing software. Both PPM and DPM require upgrade to the existing routing software, which is extremely hard to achieve over the internet. On the other hand, the proposed method can be independent as an additional module on routers to monitor and record flow information, work and
communicate with its upstream and downstream routers when the pushback procedure performed.
The main objectives of the projects are
Minimize the packet loss rate.
Assists in regulation of malicious
packet sending nodes.
Alert sending to affecting router.
The proposed strategy can traceback
fast in larger scale attack networks
2. RELATED WORK
Traceback of DDoS Attacks Using Entropy Variations
It is obvious that the attackers chasing (zombies), and on to the hackers is essential in the DDoS attack to solve challenges. In general, the trace-back strategies based on package labeling are. Package marking techniques include PPM and DPM. The PPM mechanism attempts to mark packets with the router's IP address information of probability on the local router, and the victim can reconstruct the paths that the attack packets went through. The PPM method is vulnerable to attackers because attackers send fake identification information to the victim in order to deceive the victim. The accuracy of PPM is another problem, as the selected messages (which means from the victim away) could be the down-stream router on the attack tree overwritten by the routers that are closer to the leaves. At the same time the majority of the PPM-algorithms from the memory space problem suffers to store large amount of marked packets to reconstruct the tree for the attack. Moreover PPM requires all Internet routers in the labeling to be included. Based upon the PPM mechanism, Law et al. attempts to trace
10
the attacker with transmission rates of packets back, which were directed at the victim. The model carries a very strong assumption: The traffic pattern has to obey the Poisson distribution, which is not always the case on the Internet. In addition, it
accepts, the disadvantages of PPM
mechanism: large amount of labeled packets are expected to reconstruct the attack diagram central processing on the victim, and it is easily fooled by attackers package using pollution.
Survey of Network-Based Defense
Mechanisms Countering
A survey of denial-of-service attacks and the methods that have been proposed for defending against these attacks. In this survey, they analyzed the design decisions on the internet, which have created the potential for denial-of-service attacks. They reviewed the state-of-art mechanisms for defense against denial of service attacks, to compare the strengths and weaknesses of each
proposal and discuss possible
countermeasures against any defense
mechanism. They noted, by highlighting opportunities for an integrated solution to solve the problem of distributed denial-of-service attacks. The Internet was originally designed for openness and scalability. The infrastructure works certainly as provided by this scale. However, the price for this success has been poor security. For example, was the Internet Protocol (IP) developed simple attachment of hosts to networks support, and provides little support for the verification of the contents of the IP packet header fields [Clark 1988] [2]. This makes it possible to forge the From address of the packets and therefore difficult to identify the source of TRAF fi c. Moreover, there is no inherent
support in the IP layer to check whether a source is allowed to access a service. The packages are delivered to their destination, and the server at the destination has to decide whether these packets to accept and maintain.
PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks
The Distributed Denial of Service (DDoS) attacks are a major threat to the Internet. She performs a DDoS mitigation scheme,
discarding automated online attack
characterizations and precise attack package supported on the basis of statistical processing. The key idea is to prioritize a package on a rating scale that estimates the attribute values due to its legitimacy it carries. Once the score of a package is calculated, this scheme results Score-based selective packet discarding where the discharge threshold is dynamically adjusted based on the score distribution of the last incoming packets and the current state of system overload. The paper describes the design and evaluation of automated attack characterizations, selective packet discarding, and an overload control process. Special considerations are made to ensure that the
scheme for high-speed hardware
implementation by score generation and pipeline processing is available. A simulation study shows that Packet score is very effective in various types of attack under many conditions in blocking. One of the greatest threats to cyber security is Denial of Service Distributed (DDoS) attacks, in which victims networks with a high volume of attack packets originate are bombarded from a large number of machines. The aim of such attacks is to overburden the victim with a barrage of
11
packets and make it unable to perform normal services to legitimate users. In a typical DDoS attack three levels, the attacker first compromises hosts called agents are passed, the machines turn compromise attack called Zombies, transfer the attack packets to the victim. Packages that may have sent from zombie machines source IP addresses forged hard to make tracing.
Defense Against Spoofed IP Traffic Using Hop-Count Filtering
IP spoofing is often of Distributed Denial of Service (DDoS) attacks (1) hide flooding sources and diluted localities in floods TRAF fi c has been exploited, and (2) coax
legitimate hosts in more reflectors,
redirection and reinforcement floods TRAF fi c. Thus, the ability lter spoofed IP packets near victim server fi is important to their own protection and the prevention of involuntary DoS always reflectors. Although an attacker can forge any field in the IP header, it may not the number of hops an IP packet to reach its destination distort takes. More importantly, as diverse are the hop count, an attacker can not happen to spoof IP addresses, while the consistent hop counts. On the other hand a web server can easily close the hop count information from the Time-to-Live (TTL) field of the IP header. With a mapping between IP addresses and their hop counts, the server can distinguish between fake IP packets from legitimate. Based on this observation, we present a technique Roman fi lter, called hop count filtering (HCF) -What an accurate IP-to-hop-count (IP2HC) recognize allocation table to packets and discard fake IP builds. HCF is easy to implement because it does not require support from the underlying network. By analyzing data using the network, we show that HCF close to identify 90% of the fake IP
packets and then discard with little collateral damage. We implement and evaluate HCF in the Linux kernel to demonstrate its
effectiveness with experimental
measurements.
Collaborative detection and filtering of shrewDDoS attacks using spectral analysis A new spectral template -Matching approach shrew distributed denial-of-service attacks (DDoS) encounter. These attacks are insidious, periodic, pulsating, low-rate in attack volume, very different from the type of attack floods. They are created with high narrow peaks in very low frequency to life periodically. Thus the victims systems for a long time shrew attacks can without jeopardizing discovered. In other words, such attacks can reduce the quality of services imperceptibly. Their defense method calls for joint detection and filtering (CDF) of shrew DDoS attacks. They recorded shrew attack fl ows hidden in legitimate TCP / UDP streams by spectral against previously stored template of the average attack spectral properties. This new rule is appropriate for software or hardware implementation.
Robust and efficient detection of DDoS attacks for large-scale internet
In recent years, distributed denial of service (DDoS) attacks have become a major threat to the security of Internet services. How to detect and defend against DDoS attacks is currently a hot topic in the industry and academia. In the paper, they proposed a new framework and robust e ffi cient detect DDoS attacks and identify attack packets. The central idea of its scope is spatial and temporal correlation of DDoS attack tra ffi c to use. In this context, we are developing a
12
perimeter-based anti-DDoS system; in the tra ffi c analyzed only at the edge router of an Internet service provider (ISP) network. Your frame can be seen each source-address spoofing DDoS attack in a position, no matter whether it is. To a low-volume attack or a high-volume attack The novelties of the frames (1) time correlation based feature extraction and (2) space correlation based detection. With these techniques, their scheme can accurately detect DDoS attacks and identify attack packets without changing existing IP forwarding mechanisms in routers. show your simulation results indicate that the proposed framework can detect DDoS attacks, even if the volume of the attack tra ffi c on each link is extremely small. In particular, for the same false alarm probability, the scheme has a detection probability of 0.97, while the existing system has a detection probability of 0.17, which illustrates the superior performance of the scheme.
On Scalable Attack Detection in the Network
Current intrusion detection and
prevention systems try to detect a broad class of network intrusions (eg, denial of service attacks, worms, port scans) on network viewpoints. Unfortunately, all IDSs we know each connection or keep per-flow state. So it is hardly surprising that the IDSs (other than signature detection mechanisms) does not scale to multi-gigabit speeds. In contrast to note that both routers lookups and Fair Queuing scaled to high speeds with aggregation over prefix lookups or DiffServ. Thus, in the paper, they initiated research into the question of whether one can identify attacks without holding per-flow state. They show that such aggregation during rapid
implementations to make it possible to immediately cause two problems. First, the aggregation behavior can cause aliasing, where, for example, can aggregate to looking for a good behavior and bad behavior. Secondly aggregated systems are vulnerable to spoofing, whereby the intruder sends
attacks, the corresponding aggregate
behavior.They have investigated a variety of DoS attacks and show that several categories (bandwidth based, to claim and hold, host scanning) are recognized scalable can . In contrast, it seems that stealthy port scanning cannot be scaled without keeping state per flow are recorded.
3. PROPOSED WORK
The proposed system is required to analyze the rate of loss and change queue priority. Thus, a system with an efficient algorithm necessary to minimize the rate of loss by normal node. An effective and efficient IP trace back scheme against DDoS attacks based on entropy variations. It is a fundamentally different tracking mechanism of the currently approved package labeling strategies. Many of the existing work on IP trace back depend on package labeling, either probabilistic packet marking or deterministic packet marking. Because of the vulnerability of the Internet, the packet marking mechanism suffers a number of serious drawbacks: lack of scalability; Susceptibility to package pollution from hackers and extraordinary challenge of space to victims or intermediate router. The proposed system keeps the packet queues and drop log details. The continuous packet drops are easily notified and alerted procedure is invoked to reduce the rate of loss. The new approach will help in the efficient packet forwarding in the router. The new system uses maximum
13
throughput scheduling algorithm, in order to serve a high speed as well as normal TCP packets efficiently to flow. On the other hand, the proposed method can be independent as an additional module on routers to monitor and record flow information, work and communicate with its upstream and downstream routers when the pushback procedure performed.
3.1ADVANTAGES
The proposed system has following advantages,
1. Statistical analysis of packets
received, queued and dropped are possible with more information.
2. Less time consuming in analyzing
the packets.
3. Minimize the packet loss rate.
4. Assists in regulation of malicious
packet sending nodes.
5. Alert sending to affecting router.
6. The proposed strategy can
traceback fast in larger scale attack networks
7. The proposed model can work as
an independent software module with current routing modules 4. SYSTEM DESIGN
4.1 System Modeling for IP Traceback on Entropy Variation
To describe to clear the traceback mechanism, Fig. 1 is an example of a network with DDoS attacks used as to demonstrate our strategy traceback. In a DDoS attack scenario, as shown in Fig.. 1, the currents with target as the victims include legitimate flows as f3, and a combination of attack flows and legitimate flows as f1 and f2 Compared to non-aggression cases increase the volumes of
some streams significantly in a very short period in DDoS attack cases.
Fig 1. A sample network with DDoS attacks.
Observers will notice the dramatic changes to routers R1, R4, R5 and V; However, the router, the attack in the paths are not as R2 and R3, not be able to detect the variations. Therefore, once the victim realized a running attack, there may be the LANs pushback that the changes caused on the basis of information of flow entropy variations and therefore can identify the positions of the attackers. The tracing can be carried out in a parallel and distributed fashion in our proposed scheme. In Fig. 1, based on his knowledge of entropy variations, knows the sacrifices that attackers are somewhere behind the router R1, and no attacker behind router R2. Then the track is back request delivered to the router R1. Similar to the victim router R1 knows that there are two groups of attackers, is a group behind the link to LAN0 and another group is behind the link to LAN1. Then the track are returned requests further connected to the edge router on LAN 0 and LAN1. Based on entropy change information of a router R3, the edge router of LAN0 can conclude that the attackers are on the local network, LAN0. Similarly, place the edge routers of LAN1 that attackers are
14
LAN1; Moreover, there is attacker behind router R4. The Back trace request is then forwarded to the upstream router, until we find the attacker in LAN5.
4.2 System Modeling
The packets are categorized, passing through a router in streams. A flow is defined by a pair of the upstream router to which came the packet, and the destination address of the packet. Entropy is a information theoretical concept, which is a measure of randomness. Entropy variation to measure changes in the randomness of flows in a router for a given time interval used. It is noted that the entropy variation is only one of the possible metrics. Chen and Hwang used a statistical function, changing point of the rivers to identify the anomaly of DDoS attacks [6]; but could attacker cheat this function by slowly attack strength is increased. It can also use other statistical indicators to measure the randomness as standard variation or high-order moments of the currents. Entropy is chosen variant rather than others because of the low computational workload for the entropy variations. First, let's have us on the rivers of a router close examination, as shown in Fig. 2. In general, white, a router sends its local topology, for example, its upstream router, connected to the local network domain to the router, and the downstream routers.
Fig 2. Traffic flows at a router on an attack
path
The router that is being investigated is termed now as a local router. I as the set of positive integers, and R as the set of real numbers. It is denoted a flow on a local router by <ui;dj; t>; i; j 2 I; t 2 R, where ui is an upstream router of a local router Ri, dj is the destination address of a group of packets that are passing through the local router Ri , and t is the current time stamp. For example, the local router Ri in Fig. 2 has two different incoming flows—the ones from the upstream routers Rj and Rk, respectively. This kind of flows is named as transit flows. Another type of incoming flows of the local router Ri is generated at the local area network; we call these local flows, and we use L to represent the local flows. It is named all the incoming flows as input flows, and all the flows leaving router Ri are named as output flows. It is denoted ui;i 2 I as the immediate upstream
routers of the local router Ri , and set U as the set of incoming flows of router Ri . Therefore,
U = { ui i
used to represent the destinations of the packets that are passing through the local
15
router Ri. If v is the victim router, then v 2 D. Therefore, a flow at a local router can be defined as follows:
| fij (ui, dj,t | is denoted as the count number of
packets of the flow fij at time t. For a given of packets for a given flow is defined as follows:
5. METHOD
5.1 SERVER MODULE
In this module, packet type addition, router metric information such as packet type, incoming bit rate, max packet time to live, packet resend times. During the incoing packets listening, the incoming packets log, packets sending out normally are displayed using list box controls. The packet arrival details are also displayed in chart control. 5.2 CLIENT APPLICATION FOR LAN
In this module, the IP address of the running node is found out and used through out the coding. The packets are generated and sent out so that the information is stored in a table directly from that node. A new record is ‘PacketsInFlow’ table is added during application load and packet count is updated each time the packets are sent. The record type is saved as LAN. These packets need not checked since they are filtered out inside the network.
5.3 CLIENT APPLICATION FOR INCOMING ROUTERS
In this module, the IP address of the running node is found out and used through out the coding. The packets are generated and sent out so that the information is stored in a. A new record is ‘PacketsInFlow’ table is added during application load and packet count is updated each time the packets are sent. The record type is saved as Router. These packets need to be checked using Entropy variation so that the identity flows may attack the one of the routers inside the network.
5.4 ENTROPY VARIATION
This module is a part of the server (router) application. In this module, if not extraordinary change of network traffic in a very short time interval (for example at the level of seconds) for non-DDoS attack cases. It is true that the network traffic on a router can dynamically change a lot from peak to off-peak service times. However, this type of change lasts for a relatively long period of time, for example at least at the level of minutes. If these changes are breaking in seconds, changing the traffic at least an order of magnitude is quite smooth higher than the flows of normal in the context.The number of attack packets. During a DDoS attack flooding, the number of attack packets increases dramatically. Only a DDoS attack is running at a given time. It might be true that a series of attacks on the Internet are underway simultaneously can attack paths and overlap, but it holds only to make an attack scenario, it simply and clearly. The local current monitoring algorithm and IP trace back algorithm is implemented with this module.
16
The following section describes that the efficiency of the proposed robust exection of
the packet flow in routers. The
implementation is carried out using the NS2 simulator and the developed robust execution to prevent the Ddos attack by utilizing the trace back approach. The simulation output result is shown in the following figures.
Fig 3: LOGIN FORM
Fig 4: PACKET TYPES MENU
Fig 5: PACKET TYPE FORM
Fig 6: OUTER MENU
Fig 7: Entropy Menu
17
Fig 9: Incoming Packets To Router
Thus the above experimental studies transmit the packets efficient manner using the router which avoids the Ddos attacks successfully.
7. CONCLUSION
This project is proposed, an effective and efficient IP trace back scheme against DDoS attacks based on entropy variations. It is a fundamentally different tracking mechanism of the currently approved package labeling strategies. Many of the existing work on IP trace back depend on package labeling, either probabilistic packet marking or deterministic packet marking. Because of the vulnerability of the Internet, the packet marking mechanism suffers a number of serious drawbacks: lack of scalability; Susceptibility to package pollution from hackers and extraordinary challenge of space to victims or intermediate router. On the other hand, the proposed method has not marking on packs
and therefore avoids the inherent
shortcomings of the package labeling mechanisms. It uses the functions that are beyond the control of hackers to run IP traceback. It notes and save Father Information flow entropy variations in routers. Once a DDoS attack by the victim was identified through recognition algorithms, manages the victim then the pushback method to pursue. The back tracking algorithm first identifies its upstream router
where the attack came from streams and then places the trace back requests to the appropriate upstream routers. This process continues until the most far away zombies identified, or when it flows reaches the discrimination limit the DDoS attack. Extensive experiments and simulations were performed, and the results show that the proposed mechanism works very well in terms of effectiveness and efficiency. Compared to the existing system, the proposed strategy can quickly trace back larger scale attack networks
8. FUTURE DEVELOPMENT
The metric for DDoS attack can be further explored currents. The procedure involved Perfect proposed with the package flooding types of attacks. But for the attacks with a series of attack packet rates, for example, if the attack strength is less than seven times flows from the strength of the non-aggression, the current metric is it cannot distinguish. Therefore, a metric finer granularity is required to deal with such a situation. Location estimation by attackers with partial information when the attack strength is less than seven times the normal flow rate package cannot succeed, the proposed method at the moment. However, it can detect the attack with the information that we have accumulated to date traditional methods. The differentiation of the DDoS attacks and flash crowds. In this project it has this problem cannot for the proposed method flash amount to be treated as DDoS attack, and therefore, leading to false-positive alarms.
18
REFERENCES
[1] T. Peng, C. Leckie, and K. Ramamohanarao,
“Survey of Network-Based Defense
Mechanisms Countering the DoS and DDoS Problems,” ACM Computing Surveys, vol. 39, no. 1, p. 3, 2007.
[2] CLARK, D. D. 1988. The design philosophy of the DARPA Internet protocols. In Proceedings of SIGCOMM (Stanford, CA). 106–114.
[3] GLIGOR, V. D. 1984. A note on denial-of-service in operating systems. IEEE Trans. Softw. Eng. 10, 3, 320–324.
[4] N , R. M. 1994. Denial of service: an example. Commun. ACM 37, 11, 42–46.
[5] HUSSAIN,A.,HEIDEMANN,J.,AND
PAPADOPOULOS,C. 2003. Aframework for classifying denial of service attacks. In
Proceedings of the ACM SIGCOMM
Conference (Karlsruhe, Germany). 99–110. [6] CERT. 1996. CERT Advisory CA-1996-26: denial-of-service attack via ping. Go online to http://www.cert.org/advisories/CA-1996-26.html.
[7] GARBER, L. 2000. Denial-of-service attacks rip the Internet. IEEE Comput. 33, 4 (Apr.), 12–17.
[8] SCALZO, F. 2006. Recent dns reflector
attacks. VeriSign. Go online to
http://www.nanog.org/mtg-0606/pdf/frank-scalzo.pdf.
[9] VAUGHN,R. AND EVRON, G. 2006. DNS
amplification attacks. Go online to
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf.
[10] CHANG, R. K. C. 2002. Defending against flooding-based distributed denial-of-service attacks: A tutorial. IEEE Commun. Mag. 40, 10 (Oct.), 42–51.
[11] MIRKOVIC,J. AND REIHER, P. 2004. A taxonomy of DDoS attack and DDoS defense
mechanisms. ACM SIG-COMM Comput. Commun. Rev. 34, 2, 39–53.
[12] Y. Kim et al., “PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks,” IEEE Trans. Dependable and Secure Computing, vol. 3, no. 2, pp. 141-155, Apr.-June 2006. [13] D. Moore, G.M. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity,” Proc. 10th USENIX Security Symp., Aug. 2001. [14] L. Garber, “Denial-of-Service Attacks Rip the Internet,” Computer, pp. 12-17, Apr. 2000.
[15] CSI/FBI Survey, http://www.gocsi.com/forms/fbi/csi_fbi_sur vey.jhtml, 2006. [16] FBI Fugitive, http://www.fbi.gov/wanted/fugitives/cyber /echouafni_s.htm, 2006.
[17] P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing,” RFC 2827, 2000.
[18] H.Wang, D. Zhang, and K.G. Shin, “Change-Point Monitoring for the Detection of DoS Attacks,” IEEE Trans. Dependable and Secure Computing, vol. 1, no. 4, Oct.-Dec. 2004.
[19] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Network Support for IP Traceback,” IEEE/ACM Trans. Networking, vol. 9, no. 3, June 2001.
[20] J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the Source,” Proc. 10th IEEE Int’l Conf. Network Protocols, Nov. 2002. [21] A. Kuzmanovic and E.W. Knightly,
“Low-Rate TCP-Targeted
DenialofServiceAttacks(TheShrewvs. the Mice and Elephants),” Proc. ACM SIGCOMM 2003, Aug. 2003.
[22] Cisco IOS Security Configuration Guide, Release 12.2 “Configuring Unicast Reverse Path Forwarding,” pp. SC-431-SC-446, http://www.cisco.com/univercd/cc/td/doc/
19
product/software/ios122/122cgcr/fsecur_c/ fothersf/scfrpf.pdf. 2006, 2006.
[23] K. Park and H. Lee, “On the Effectiveness
of Route-Based Packet Filtering for
Distributed DoS Attack Prevention in Power-Law Internets,” Proc. ACM SIGCOMM, pp. 15-26, 2001.
[24] C. Jin, H. Wang, and K.G. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed Traffic,” Proc. ACM Conf. Computer and Comm. Security (CCS ’03), Oct. 2003. [25] J. Ioannidis and S.M. Bellovin,
“Implementing Pushback: Router-Based
Defense against DDoS Attacks,” Proc. Network and Distributed System Security Symp., Feb. 2002.
[26] A.D. Keromytis, V. Misra, and D. Rubenstein, “SOS: An Architecture for Mitigating DDoS Attacks,” IEEE J. Selected Areas in Comm., vol. 22, no. 1, pp. 176-188, Jan. 2004.
[27] Y. Kim, J.Y. Jo, and F. Merat, “Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking,” Proc. IEEE GLOBECOM, Dec. 2003.
[28] Y. Xu and R. Gue ´rin, “On the Robustness of Router-Based Denial-of-Service (DoS) Defense Systems,” ACM SIGCOMM Computer Comm. Rev., vol. 35, no. 3, July 2005.
[29] Y. Kim, J.Y. Jo, H.J. Chao, and F. Merat, “High-Speed Router Filter for Blocking TCP Flooding under Distributed Denial-of-service Attack,” Proc. IEEE Int’l Performance, Computing, and Comm. Conf., Apr. 2003. [30] A. Yaar and D. Song, “SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks,” Proc. 2004 IEEE Symp. Security and Privacy, 2004.
[31] Y. Kim, W.C. Lau, M.C. Chuah, and H.J. Chao, “PacketScore: Statistics-Based Overload Control against Distributed Denial-of-Service Attacks,” Proc. IEEE INFOCOM, Mar. 2004.
