ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Defense against spoofed IP traffic using hop-count filtering
Full text PdfPdf (782 KB)
Source IEEE/ACM Transactions on Networking (TON) archive
Volume 15 ,  Issue 1  (February 2007) table of contents
Pages: 40 - 53  
Year of Publication: 2007
ISSN:1063-6692
Authors
Haining Wang  College of William and Mary, Williamsburg, VA and Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, MI
Cheng Jin  California Institute of Technology, Pasadena, CA and Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, MI
Kang G. Shin  Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, MI
Publisher
IEEE Press  Piscataway, NJ, USA
Bibliometrics
Downloads (6 Weeks): 18,   Downloads (12 Months): 184,   Citation Count: 4
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: 10.1109/TNET.2006.890133

ABSTRACT

IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)--which builds an accurate IP-to-hop-count (IP2HC) mapping table--to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
[1] A. Dave, tcptraceroute. [Online]. Available: http://nms.lcs.mit.edu/ software/ron/
 
2
[2] Razor Team at Bindview, Despoof. 2000 [Online]. Available: http:// razor.bindview.com/tools/desc/despoof_readme.html
 
3
Gaurav Banga , Peter Druschel , Jeffrey C. Mogul, Resource containers: a new facility for resource management in server systems, Proceedings of the third symposium on Operating systems design and implementation, p.45-58, February 1999, New Orleans, Louisiana, United States
 
4
[4] S. M. Bellovin, "ICMP traceback messages," Internet Draft: Draft-Bellovin-Itrace-00.txt (Work in Progress), Mar. 2000.
 
5
[5] D. J. Bernstein and E. Schenk, Linux kernel SYN cookies firewall project. [Online]. Available: http://www.bronzesoft.org/projects/scfw
 
6
[6] N. Bhatti and R. Friedrich, "Web server support for tiered services," IEEE Network, vol. 13, no. 5, pp. 64-71, Sep./Oct. 1999.
 
7
[7] TCP SYN flooding and IP spoofing. CERT Advisory CA-96.21, 2000 [Online]. Available: http://www.cert.org/advisories/CA-96-21.html
 
8
[8] Smurf IP denial-of-service attacks. CERT Advisory CA-98.01, 1998 [Online]. Available: http://www.cert.org/advisories/CA-98-01.html
 
9
[9] B. Cheswick, H. Burch, and S. Branigan, "Mapping and visualizing the Internet," in Proc. USENIX Annu. Technical Conf., 2000, pp. 1-12.
 
10
[10] K. Claffy, T. E. Monk, and D. McRobb, "Internet tomography," Nature, Jan. 7, 1999.
 
11
[11] E. Cronin, S. Jamin, C. Jin, T. Kurc, D. Raz, and Y. Shavitt, "Constrained mirror placement on the Internet," IEEE J. Sel. Areas Commun., vol. 20, no. 7, pp. 1369-1382, Sep. 2002.
 
12
Sven Dietrich , Neil Long , David Dittrich, Analyzing Distributed Denial of Service Tools: The Shaft Case, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
 
13
[13] D. Dittrich, Distributed Denial of Service (DDoS) attacks/tools page. [Online]. Available: http://staff.washington.edu/dittrich/misc/ddos/
 
14
[14] The Swiss Education and Research Network, Default TTL values in TCP/IP. 2002 [Online]. Available: http://secfr.nerim.net/docs/fingerprint/en/ttl_default.html
 
15
P. Ferguson , D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, RFC Editor, 1998
 
16
[16] National Laboratory for Applied Network Research, Active Measurement Project (Amp), 1998 [Online]. Available: http://watt.nlanr.net/
 
17
Steve Romig, The OSU Flow-tools Package and CISCO NetFlow Logs, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
 
18
[18] S. Gibson, Distributed reflection denial of service Gibson Research Corp., Tech. Rep., Feb. 2002 [Online]. Available: http://grc.com/dos/ drdos.htm
 
19
[19] T. M. Gil and M. Poletter, "MULTOPS: a data-structure for bandwidth attack detection," in Proc. USENIX Security Symp., 2001, pp. 23-38.
 
20
[20] R. Govinda and H. Tangmunarunkit, "Heuristics for Internet map discovery," in Proc. IEEE INFOCOM, 2000, pp. 1371-1380.
21
Alefiya Hussain , John Heidemann , Christos Papadopoulos, A framework for classifying denial of service attacks, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany  [doi>10.1145/863955.863968]
 
22
[22] Arbor Networks Inc., Peakflow DoS 2002 [Online]. Available: http:// arbornetworks.com/standard?tid=34&cid=14
 
23
[23] J. Ioannidis and S. M. Bellovin, "Implementing pushback: Router-based defense against DDoS attacks," in Proc. NDSS'2002, San Diego, CA, Feb. 2002.
 
24
[24] A. Juels and J. Brainard, "Client puzzle: A cryptographic defense against connection depletion attacks," in Proc. NDSS'99, San Diego, CA, Feb. 1999.
25
Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, SOS: secure overlay services, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
26
Balachander Krishnamurthy , Jia Wang, On network-aware clustering of Web clients, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.97-110, August 28-September 01, 2000, Stockholm, Sweden
27
Aleksandar Kuzmanovic , Edward W. Knightly, Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany  [doi>10.1145/863955.863966]
 
28
Craig Labovitz , Abha Ahuja , Farnam Jahanian, Experimental Study of Internet Stability and Backbone Failures, Proceedings of the Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing, p.278, June 15-18, 1999
 
29
[29] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, "Save: Source address validity enforcement protocol," in Proc. IEEE INFOCOM, 2002, pp. 1557-1566.
 
30
[30] J. Li, M. Sung, J. Xu, and L. Li, "Large-scale IP traceback in high-speed Internet: Practical techniques and theoretical foundation," in Proc. IEEE Symp. Security and Privacy, 2004, pp. 115-129.
31
Ratul Mahajan , Steven M. Bellovin , Sally Floyd , John Ioannidis , Vern Paxson , Scott Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.62-73, July 2002  [doi>10.1145/571697.571724]
32
David Moore , Colleen Shannon , Douglas J. Brown , Geoffrey M. Voelker , Stefan Savage, Inferring Internet denial-of-service activity, ACM Transactions on Computer Systems (TOCS), v.24 n.2, p.115-139, May 2006  [doi>10.1145/1132026.1132027]
 
33
[33] R. T. Morris, "A weakness in the 4.2bsd UNIX TCP/IP software," AT&T Bell Laboratories, Murray Hill, NJ, Comput. Sci. Tech. Rep. 117, 1985.
 
34
[34] Mazu Networks, Enforcer, 2002 [Online]. Available: http://www. mazunetworks.com/products/
 
35
Peter G. Neumann , Phillip A. Porras, Experience with EMERALD to Date, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.73-80, April 09-12, 1999
36
Kihong Park , Heejo Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.15-26, August 2001, San Diego, California, United States
 
37
Vern Paxson, End-to-end routing behavior in the Internet, IEEE/ACM Transactions on Networking (TON), v.5 n.5, p.601-615, Oct. 1997  [doi>10.1109/90.649563]
38
Vern Paxson, An analysis of using reflectors for distributed denial-of-service attacks, ACM SIGCOMM Computer Communication Review, v.31 n.3, July 2001  [doi>10.1145/505659.505664]
 
39
[39] M. Poletto, "Practical approaches to dealing with DDoS attacks," presented at the North America Network Operators' Group (NANOG 22), Scottsdale, AZ, May 2001 [Online]. Available: http://www.nanog.org/ mtg-0105/poletto.html
40
Xiaohu Qie , Ruoming Pang , Larry Peterson, Defensive programming: using an annotation toolkit to build DoS-resistant software, Proceedings of the 5th symposium on Operating systems design and implementation

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading

, December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060295]
41
Jennifer Rexford , Jia Wang , Zhen Xiao , Yin Zhang, BGP routing stability of popular destinations, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637232]
 
42
[42] J. H. Salim, R. Olsson, and A. Kuznetsov, "Beyond Softnet," in Proc. 5th Annu. Linux Showcase and Conf., Nov. 2001, pp. 165-172.
43
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
44
Aman Shaikh , Chris Isett , Albert Greenberg , Matthew Roughan , Joel Gottlieb, A case study of OSPF behavior in a large enterprise network, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637236]
45
Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
 
46
[46] D. Song and A. Perrig, "Advanced and authenticated marking schemes for IP traceback," in Proc. IEEE INFOCOM, 2001, vol. 2, pp. 878-886.
 
47
Oliver Spatscheck , Larry L. Peterson, Defending against denial of service attacks in Scout, Proceedings of the third symposium on Operating systems design and implementation, p.59-72, February 1999, New Orleans, Louisiana, United States
48
Neil Spring , Ratul Mahajan , David Wetherall, Measuring ISP topologies with rocketfuel, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
 
49
[49] R. Stone, "Centertrack: An IP overlay network for tracking DoS floods," in Proc. 9th USENIX Security Symp., 2000, pp. 199-212.
 
50
Minho Sung , Jun Xu, IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks, Proceedings of the 10th IEEE International Conference on Network Protocols, p.302-311, November 12-15, 2002
 
51
[51] S. Templeton and K. Levitt, "Detecting spoofed packets," in Proc. 3rd DARPA Information Survivability Conf. and Expo. (DISCEX III), 2003, pp. 164-175.
 
52
[52] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN flooding attacks," in Proc. IEEE INFOCOM, 2002, pp. 1530-1539.
 
53
XiaoFeng Wang , Michael K. Reiter, Defending Against Denial-of-Service Attacks with Puzzle Auctions, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.78, May 11-14, 2003
 
54
[54] G. R. Wright and W. R. Stevens, TCP/IP Illustrated, Volume 2. Reading, MA: Addison-Wesley, 1994.
 
55
Abraham Yaar , Adrian Perrig , Dawn Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.93, May 11-14, 2003
 
56
David K. Y. Yau , John C. S. Lui , Feng Liang , Yeung Yam, Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles, IEEE/ACM Transactions on Networking (TON), v.13 n.1, p.29-42, February 2005  [doi>10.1109/TNET.2004.842221]

CITED BY  4
Yang Li , Li Guo , Zhi-Hong Tian , Tian-Bo Lu, A lightweight web server anomaly detection method based on transductive scheme and genetic algorithms, Computer Communications, v.31 n.17, p.4018-4025, November, 2008
Toby Ehrenkranz , Jun Li, On the state of IP spoofing defense, ACM Transactions on Internet Technology (TOIT), v.9 n.2, p.1-29, May 2009
Indrajeet B. Mopari , S. G. Pukale , M. L. Dhore, Detection of DDoS attack and defense against IP spoofing, Proceedings of the International Conference on Advances in Computing, Communication and Control, January 23-24, 2009, Mumbai, India
Udaya Kiran Tupakula , Vijay Varadharajan , Srini Rao Pandalaneni, DoSTRACK: a system for defending against DoS attacks, Proceedings of the 2009 ACM symposium on Applied Computing, March 08-12, 2009, Honolulu, Hawaii

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network monitoring
  C.4 PERFORMANCE OF SYSTEMS
      Subjects: Measurement techniques


General Terms:
Management, Measurement, Security


Keywords:
DDoS attacks, IP spoofing, hop-count, host-based

Collaborative Colleagues:
Haining Wang: colleagues
Cheng Jin: colleagues
Kang G. Shin: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player