Defending against spoofed DDoS attacks with path fingerprint

Fu Yuan Lee*, Shiuh-Pyng Shieh

*Corresponding author for this work

Research output: Contribution to journalArticle

34 Scopus citations

Abstract

In this paper, we propose a new scheme, called ANTID, for detecting and filtering DDoS attacks which use spoofed packets to circumvent the conventional intrusion detection schemes. The proposed anti-DDoS scheme intends to complement, rather than replace conventional schemes. By embedding in each IP packet a unique path fingerprint that represents the route an IP packet has traversed, ANTID is able to distinguish IP packets that traverse different Internet paths. In ANTID, a server maintains for each of its communicating clients the mapping from the client's IP address to the corresponding path fingerprint. The construction and renewal of these mappings is performed in an on-demand fashion that helps to reduce the cost of maintenance. With presence of the mapping table, the onset of a spoofed DDoS attack can be detected by observing a surge of spoofed packets. Consequently, spoofed attack packets are filtered so as to sustain the quality of protected Internet services. ANTID is lightweight, robust, and incrementally deployable. Our experiment results showed that the proposed scheme can detect 99.95% spoofed IP packets and can discard them with little collateral damage to legitimate clients. It also showed that the higher the aggregated attack rate is, the sooner the attack can be detected.

Original languageEnglish
Pages (from-to)571-586
Number of pages16
JournalComputers and Security
Volume24
Issue number7
DOIs
StatePublished - 1 Oct 2005

Keywords

  • DDoS
  • IP spoofing
  • Intrusion detection
  • Network security

Fingerprint Dive into the research topics of 'Defending against spoofed DDoS attacks with path fingerprint'. Together they form a unique fingerprint.

Cite this