Abstract
DDoS mitigation schemes are increasingly becoming relevant in the Internet. The main hurdle faced by such schemes is the “nearly indistinguishable” line between malicious traffic and genuine traffic. It is best tackled with a paradigm shift in connection handling by attesting the path. We therefore propose the scheme called “Path Attestation Scheme” coupled with a metric called “Confidence Index” to tackle the problem of distinguishing malicious and genuine traffic in a progressive manner, with varying levels of certainty. We support our work through an experimental study to establish the stability of Internet topology by using 134 different global Internet paths over a period of 16 days. Our Path Attestation Scheme was able to successfully distinguish between malicious and genuine traffic, 85% of the time. The scheme presupposes support from a fraction of routers in the path.
Chapter PDF
Similar content being viewed by others
References
Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial-of-service attacks which employ IP source address spoofing, RFC 2827 (May 2000)
Ioannidis, J., Bellovin, S.M.: Implementing Pushback: Router-Based Defense Against DDoS Attacks. In: Proc. Network and Distributed System Security Symposium, San Diego, CA (February 2002)
Kim, Y., Lau, W., Chuah, M., Chao, J.: PacketScore: A statistical-based overload control against DDoS attacks. In: Proc. IEEE INFOCOM 2004, China (March 2004)
Mirkovic, J.: D-WARD: Source-End Defense against Distributed Denial-of-Service Attacks, PhD. Thesis, UCLA (August 2003)
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review 34(2), 39–53 (2004)
Paxson, V.: End-to-end routing behavior in the Internet. In: Conference proceedings on Applications, technologies, architectures, and protocols for computer communications, Palo Alto, California, United States, August 28-30, pp. 25–38 (1996)
Peng, T., Leckie, C., Ramamohanarao, K.: Protection from Distributed Denial of Service Attack Using History-based IP Filtering. In: Proc. of IEEE ICC 2003, Anchorage, AK (May 2003)
Wang, H., Jin, C., Shin, K.G.: Defense against Spoofed IP Traffic Using Hop-Count Filtering. IEEE/ACM Trans. Networking 15(1), 40–53 (2007)
Yaar, A.P., Song, D.: SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In: IEEE Symposium on Security and Privacy (2004)
Yaar, A., Perrig, A., Song, D.: Pi: A Path Identification Mechanism to Defend against DDoS Attacks. In: Proc. of the 2003 IEEE Symposium on Security and Privacy, May 11-14, pp. 93–107 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bhattacharjee, R., Sanand, S., Raghavan, S.V. (2010). Path Attestation Scheme to Avert DDoS Flood Attacks. In: Crovella, M., Feeney, L.M., Rubenstein, D., Raghavan, S.V. (eds) NETWORKING 2010. NETWORKING 2010. Lecture Notes in Computer Science, vol 6091. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12963-6_32
Download citation
DOI: https://doi.org/10.1007/978-3-642-12963-6_32
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12962-9
Online ISBN: 978-3-642-12963-6
eBook Packages: Computer ScienceComputer Science (R0)