Authors: V. Praveena, N. Kiruthika

Abstract:

In this paper, we explore a new scheme for filtering spoofed packets (DDOS attack) which is a combination of path fingerprint and client puzzle concepts. In this each IP packet has a unique fingerprint is embedded that represents, the route a packet has traversed. The server maintains a mapping table which contains the client IP address and its corresponding fingerprint. In ingress router, client puzzle is placed. For each request, the puzzle issuer provides a puzzle which the source has to solve. Our design has the following advantages over prior approaches, 1) Reduce the network traffic, as we place a client puzzle at the ingress router. 2) Mapping table at the server is lightweight and moderate.

Keywords: Client puzzle, DDOS attack, Egress, Ingress, IP Spoofing, Spoofed Packet.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1056012

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1577

References:

[1] CERT coordination center, "DOS attack", http://www.cert.org/tech_tips/denial-of-service.html.
[2] TCP SYN flooding and IP Spoofing, CERT advisory CA- 96.21,2000(online. Available: http://www.cert.org/advisories/CA- 96.21.html.
[3] S.Gibson, "distributed reflection denial of service", Gibson research Corp., Tech, Rep., Feb 2002(online) Available: http://grc.com/dos/drdos.htm
[4] "Defending against spoofed DDOS attack with path fingerprint"- Fu- Yuan Lee, Shiuhpyng shieh. www.elsevier.com/locate/cose
[5] R.L.Rivest,A.Shamir amd D.A. Wagner, "Time-lock Puzzle and Timesrelease crypto", MIT/LCS/TR-684,1996.
[6] A.Juels and J.Brainard, "Client Puzzle: A Cryptographics defense against connection depletion", in NDSS, 1999, PP. 151-165.
[7] WU.Chang Feng, ED Kaiser, WC-chifeng, Antoine Luu, " The design and implementation of network Puzzles"
[8] Li J, Mirkovic J, Wang M, Reiher P, Zhang L. Save: source address validity enforcement protocol. In: Proceedings of IEEE INFOCOM, vol. 3; June 2001. p. 1157e566.
[9] Mirkovic J, Prier G, Reiher P. Attacking DDoS at the source. In: Proceedings of international conference on network protocols;Nov. 2002. p. 312e21.
[10] Belenky A, Ansari N. IP traceback with deterministic packet marking. IEEE communications Letters April 2003;7(2): 162e4.
[11] Bellovin S, Leech M, Taylor T. ICMP traceback messages (Online). Available from: http://www.ietf.org/internet-drafts/draftietf - itrace- 04.txt; Feb. 2003.
[12] Dean D, Franklin M, Stubblefield, A. ÔÇÿÔÇÿAn algebraic approach to IP traceback--. ACM Transactions on Information and System Security May 2002;5(2):119e37.
[13] Sanchez LA, Milliken WC, Snoeren AC, Tchakountio F, Jones CE, Kent ST, et al. Hardware support for a hash-based IP traceback. In: Proceedings of the second DARPA information survivability conference; June 2001. p. 146e52.
[14] Savage S, Wetherall D, Karlin AR, Anderson T. Practical network support for IP traceback. In: Proceedings of SIGCOMM conference; Aug. 2000. p. 295e306.
[15] Savage S, Wetherall D, Karlin AR, Anderson T. Network support for IP traceback. IEEE/ACM Transactions on Networking June 2001;3:226e37.
[16] Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Kent ST, et al. Hash-based IP traceback. In: Proceedings of the ACM SIGCOMM conference; Aug. 2001. p. 3e14.
[17] Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Schwartz B, et al. ÔÇÿÔÇÿSingle-packet IP traceback--. IEEE/ACM Transactions on Networking 2002; 10(6) :721e34.
[18] Song D, Perrig A. Advanced and authenticated marking schemes for IP traceback. In: Proceedings of IEEE INFOCOM conference; Apr. 2001. p. 878e86.
[19] Jin C, Wang H, Shin KG. Hop-count filtering: an effective defense against spoofed ddos traffic. In: Proceedings of ACM conference on computer and communications security; Oct. 2003. p. 30e41.
[20] Peng T, Leckie C, Ramamohanarao K. Detecting distributed denial of service attacks using source IP address monitoring. Australia: The University of Melboume; 2002. Tech.http://www.ee.mu.oz.au/pgrad/taop/research/detection.pdf
[21] Peng T, Leckie C, Ramamohanarao K. Protection from distributed denial of service attacks using history-based IP filtering. In: Proceedings of IEEE international conference on communications, vol. 1; May 2003. p. 482e6.
[22] Sung M, Xu J. IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks. In: Proceedings of international conference on network protocols; Nov. 2002. p. 302e11.
[23] Sung M, Xu J. IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks. IEEE Transactions on Parallel and Distributed Systems Sep. 2003;14(9):861e72.
[24] Yaar A, Perrig A, Song D. Pi: a path identification mechanism to defend against DDos attacks. In: Proceedings of the IEEE symposium on security and privacy; May 2003. p. 93e109.
[25] D. Moore, C. Shannon, and J. Brown, "Code-Red: A Case Study on the Spread and Victims of an InternetWorm," in Internet Measurement Workshop, November 2002.
[26] S. Staniford, V. Paxson, and N. Weaver, "How to 0wn the Internet in Your Spare Time," in 11th USENIX Security Symposium (Security -02), 2002.
[27] CERT, "CERT Advisory CA-2004-02 Email-borne Viruses," http://www.cert.org/advisories/CA-2004-02.html, 2004.
[28] C. Dwork and M. Naor, "Pricing via Processing or Combatting Junk Mail," in Crypto, 1992.
[29] R. Merkle, "Secure Communications Over Insecure Channels," Communications of the ACM, vol. 21, no. 4, April 1978.
[30] L. von Ahn, M. Blum, N. Hopper, and J. Langford, "CAPTCHA: Using Hard AI Problems for Security," in Eurocrypt 2003., 2003.
[31] A. Juels and J. Brainard, "Client Puzzles: A Cryptographic Defense against Connection Depletion," in NDSS, 1999, pp. 151-165.
[32] D. Dean and A. Stubblefield, "Using Client Puzzles to Protect TLS," in 10th Annual USENIX Security Symposium, 2001.
[33] T. Aura, P. Nikander, and J. Leiwo, "DOS-Resistant Authentication with Client Puzzles," Lecture Notes in Computer Science, vol. 2133, 2001.
[34] J. Leiwo, T. Aura, and P. Nikander, "Towards Network Denial of Service Resistant Protocols," in SEC, 2000, pp. 301-310.
[35] M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D.Wallach, "Security for Peer-to-Peer Routing Overlays," in Proceedings of OSDI, December 2002.
[36] M. Abadi, M. Burrows, M. Manasse, and T.Wobber, "Moderately Hard, Memory-bound Functions," 2003.
[37] I. Clarke, O. Sandberg, B. Wiley, and T. Hong, "Freenet: A Distributed anonymous Information Storage and Retrieval System," Lecture Notes in Computer Science, vol. 2009, pp. 46+, 2001.
[38] X. Wang and M. Reiter, "Defending Against Denial-of-Service Attacks with Puzzle Auctions," in IEEE Symposium on Security and Privacy, 2003.
[39] W. Feng, "The Case for TCP/IP Puzzles," in ACM SIGCOMM Workshop on Future Directions in Network Architecture (FDNA-03), Karlsruhe, Germany, August 2003.
[40] CERT Coordination Center. CERTR incident note IN-99-07 distributed denial of service tools (Online). Available from: http://www.cert.org/incident_notes/IN-99-07.html; Jan. 1999a.
[41] CERT Coordination Center. Results of the distributed-systems intruder tools workshop(Online). Available from: http://www.cert.org/reports/dsit-workshop-final.html, http:// www.cert.org/reports/dsit-workshop.pdf ; Nov. 1999.
[42] CERT Coordination Center. CERTR advisory CA-1999-17 denialofservice tools (Online). Available from: http://www.cert.org/advisories/CA-1999-17.html; Dec. 1999.
[43] CERT Coordination Center. CERTR advisory CA-2000-01 denial-ofservice developments (Online). Available from: http://www.cert.org/advisories/CA-2000-01.html Jan. 2000.
[44] Cheswick B, Burch H, Branigan S. Mapping and visualizing the internet. In: Proceedings of USENIX annual technical conference (Online). Available from: http://www.usenix.org/publications/library/proceedings/usenix2000/gen eral/ cheswick.html; June 2000.
[45] Darmohray T, Oliver R. ÔÇÿÔÇÿHot spares-- for DoS attacks;login (Online). Available from: http://www.usenix.org/publications/login/2000- 7/apropos.html ; July 2000.
[46] Dean D, Franklin M, Stubblefield, A. ÔÇÿÔÇÿAn algebraic approach to IP traceback--. ACM Transactions on Information and System Security May 2002;5(2):119e37.
[47] Dittrich D. The DoS project-s trinoo distributed denial of service attack tool(Online). Available from: http://staff.washington.edu/dittrich/misc/trinoo.analysis; Oct. 1999a.
[48] Dittrich D. The tribe flood network distributed denial of service attack tool (Online). Available from: http://staff.washington.edu/dittrich/misc/tfn.analysis; Oct. 1999b.
[49] Ferguson P, Senie D. Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. Internet engineering task force, RFC 2827 (Online). Available from: http://www.rfc-editor.org/rfc/rfc2827.txt; May 2000.