ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Hop-count filtering: an effective defense against spoofed DDoS traffic
Full text PdfPdf (214 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 10th ACM conference on Computer and communications security table of contents
Washington D.C., USA
SESSION: DOS protection table of contents
Pages: 30 - 41  
Year of Publication: 2003
ISBN:1-58113-738-9
Authors
Cheng Jin  Caltech, Pasadena, CA
Haining Wang  College of William and Mary, Williamsburg, VA
Kang G. Shin  University of Michigan, Ann Arbor, MI
Sponsor
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 30,   Downloads (12 Months): 224,   Citation Count: 42
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/948109.948116
What is a DOI?

ABSTRACT

IP spoofing has been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victims is essential to their own protection as well as to their avoidance of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he or she cannot falsify the number of hops an IP packet takes to reach its destination. This hop-count information can be inferred from the Time-to-Live (TTL) value in the IP header. Using a mapping between IP addresses and their hop-counts to an Internet server, the server can distinguish spoofed IP packets from legitimate ones. Base on this observation, we present a novel filtering technique that is immediately deployable to weed out spoofed IP packets. Through analysis using network measurement data, we show that Hop-Count Filtering (HCF) can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its benefits using experimental measurements.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Dave Andersen. tcptraceroute. Available: http://nms.lcs.mit.edu/software/ron/.
 
2
Razor Team at~Bindview. Despoof, 2000. Available: http://razor.bindview.com/tools/desc/despoof_readme.html.
 
3
Gaurav Banga , Peter Druschel , Jeffrey C. Mogul, Resource containers: a new facility for resource management in server systems, Proceedings of the third symposium on Operating systems design and implementation, p.45-58, February 1999, New Orleans, Louisiana, United States
 
4
S. M. Bellovin. Icmp traceback messages. In Internet Draft: draft-bellovin-itrace-00.txt (work in progress), March 2000.
 
5
N. Bhatti and R. Friedrich. Web server support for tiered services. IEEE Network, 13(5), September/October 1999.
 
6
CERT Advisory CA-2000.01. Denial-of-service development, January 2000. Available: http://www.cert.org/advisories/CA-2000-01.html.
 
7
CERT Advisory CA-96.21. TCP SYN flooding and IP spoofing, November 2000. Available: http://www.cert.org/advisories/CA-96-21.html.
 
8
CERT Advisory CA-98.01. smurf IP denial-of-service attacks, January 1998. Available: http://www.cert.org/advisories/CA-98-01.html.
 
9
B. Cheswick, H. Burch, and S. Branigan. Mapping and visualizing the internet. In Proceedings of USENIX Annual Technical Conference '2000, San Diego, CA, June 2000.
 
10
K. Claffy, T. E. Monk, and D. McRobb. Internet tomography. In Nature, January 1999. Available: http://www.caida.org/Tools/Skitter/.
 
11
E. Cronin, S. Jamin, C. Jin, T. Kurc, D. Raz, and Y. Shavitt. Constrained mirror placement on the internet. IEEE Journal on Selected Areas in Communications, 36(2), September 2002.
 
12
Sven Dietrich , Neil Long , David Dittrich, Analyzing Distributed Denial of Service Tools: The Shaft Case, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
 
13
D. Dittrich. Distributed Denial of Service (DDoS) attacks/tools page. Available: http://staff.washington.edu/dittrich/misc/ddos/.
 
14
The~Swiss Education and Research Network. Default TTL values in TCP/IP, 2002. Available: http://secfr.nerim.net/docs/fingerprint/en/ttl_default.html.
 
15
P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. In RFC 2267, January 1998.
 
16
National Laboratory for Applied Network Research. Active measurement project (amp), 1998-. Available: http://watt.nlanr.net/.
 
17
Steve Romig, The OSU Flow-tools Package and CISCO NetFlow Logs, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
 
18
Lee Garber, Denial-of-Service Attacks Rip the Internet, Computer, v.33 n.4, p.12-17, April 2000  [doi>10.1109/MC.2000.839316]
 
19
S. Gibson. Distributed reflection denial of service. In Technical Report, Gibson Research Corporation, February 2002. Available: http://grc.com/dos/drdos.htm.
 
20
T. M. Gil and M. Poletter. Multops: a data-structure for bandwidth attack detection. In Proceedings of USENIX Security Symposium'2001, Washington D.C, August 2001.
 
21
R. Govinda and H. Tangmunarunkit. Heuristics for internet map discovery. In Proceedings of IEEE INFOCOM '2000, Tel Aviv, Israel, March 2000.
 
22
Arbor Networks Inc. Peakflow DoS, 2002. Available: http://arbornetworks.com/standard?tid=34&cid=14.
 
23
J. Ioannidis and S. M. Bellovin. Implementing pushback: Router-based defense against ddos attacks. In Proceedings of NDSS'2002, San Diego, CA, February 2002.
24
Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, SOS: secure overlay services, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
 
25
J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. Save: Source address validity enforcement protocol. In Proceedings of IEEE INFOCOM '2002, New York City, NY, June 2002.
26
Ratul Mahajan , Steven M. Bellovin , Sally Floyd , John Ioannidis , Vern Paxson , Scott Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.62-73, July 2002  [doi>10.1145/571697.571724]
 
27
D. Moore, G. Voelker, and S. Savage. Inferring internet denial of service activity. In Proceedings of USENIX Security Symposium'2001, Washington D.C., August 2001.
 
28
Robert T. Morris. A weakness in the 4.2bsd unix tcp/ip software. In Computing Science Technical Report 117, AT&T Bell Laboratories, Murray Hill, NJ, February 1985.
 
29
Mazu Networks. Enforcer, 2002. {Online}. Available: http://www.mazunetworks.com/products/.
 
30
Peter G. Neumann , Phillip A. Porras, Experience with EMERALD to Date, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.73-80, April 09-12, 1999
31
Kihong Park , Heejo Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.15-26, August 2001, San Diego, California, United States
 
32
Vern Paxson, End-to-end routing behavior in the Internet, IEEE/ACM Transactions on Networking (TON), v.5 n.5, p.601-615, Oct. 1997  [doi>10.1109/90.649563]
33
Vern Paxson, An analysis of using reflectors for distributed denial-of-service attacks, ACM SIGCOMM Computer Communication Review, v.31 n.3, July 2001  [doi>10.1145/505659.505664]
 
34
M. Poletto. Practical approaches to dealing with ddos attacks. In NANOG 22 Agenda, May 2001. Available: http://www.nanog.org/mtg-0105/poletto.html.
35
Xiaohu Qie , Ruoming Pang , Larry Peterson, Defensive programming: using an annotation toolkit to build DoS-resistant software, Proceedings of the 5th symposium on Operating systems design and implementation

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading

, December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060295]
36
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
37
Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
 
38
D. Song and A. Perrig. Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE INFOCOM '2001, Anchorage, Alaska, March 2001.
 
39
Oliver Spatscheck , Larry L. Peterson, Defending against denial of service attacks in Scout, Proceedings of the third symposium on Operating systems design and implementation, p.59-72, February 1999, New Orleans, Louisiana, United States
40
Neil Spring , Ratul Mahajan , David Wetherall, Measuring ISP topologies with rocketfuel, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
 
41
R. Stone. Centertrack: An IP overlay network for tracking DoS floods. In Proceedings of USENIX Security Symposium'2000, Denver, CO, August 2000.
 
42
S. Templeton and K. Levitt. Detecting spoofed packets. In Proceedings of The Third DARPA Information Survivability Conference and Exposition (DISCEX III)'2003, Washington, D.C., April 2003.
 
43
H. Wang, D. Zhang, and K. G. Shin. Detecting syn flooding attacks. In Proceedings of IEEE INFOCOM '2002, New York City, NY, June 2002.
 
44
G. R. Wright and W. R. Stevens. TCP/IP Illustrated, Volume 2. Addison-Wesley Publishing Company, 1994.
 
45
Abraham Yaar , Adrian Perrig , Dawn Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.93, May 11-14, 2003

CITED BY  42
XiaoFeng Wang , Michael K. Reiter, Mitigating bandwidth-exhaustion attacks using congestion puzzles, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
Kirill Levchenko , Ramamohan Paturi , George Varghese, On the difficulty of scalably detecting network attacks, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
Angelos Stavrou , Debra L. Cook , William G. Morein , Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, WebSOS: an overlay-based system for protecting web servers from denial of service attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.781-807, 5 August 2005
Haining Wang , Danlu Zhang , Kang G. Shin, Change-Point Monitoring for the Detection of DoS Attacks, IEEE Transactions on Dependable and Secure Computing, v.1 n.4, p.193-208, October 2004
Haining Wang , Abhijit Bose , Mohamed El-Gendy , Kang G. Shin, IP Easy-pass: a light-weight network-edge resource access control, IEEE/ACM Transactions on Networking (TON), v.13 n.6, p.1247-1260, December 2005
Naoum Naoumov , Keith Ross, Exploiting P2P systems for DDoS attacks, Proceedings of the 1st international conference on Scalable information systems, p.47-es, May 30-June 01, 2006, Hong Kong
Tarik Taleb , Nei Kato , Yoshiaki Nemoto, REFWA: an efficient and fair congestion control scheme for LEO satellite networks, IEEE/ACM Transactions on Networking (TON), v.14 n.5, p.1031-1044, October 2006
Bin Xiao , Wei Chen , Yanxiang He, A novel approach to detecting DDoS Attacks at an Early Stage, The Journal of Supercomputing, v.36 n.3, p.235-248, June 2006
Grenville Armitage , Carl Javier , Sebastian Zander, Post-game estimation of game client RTT and hop count distributions, Proceedings of 5th ACM SIGCOMM workshop on Network and system support for games, p.33-es, October 30-31, 2006, Singapore
Miao Ma, Tabu marking scheme to speedup IP traceback, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.50 n.18, p.3536-3549, 21 December 2006
Jenshiuh Liu , Zhi-Jian Lee , Yeh-Ching Chung, Dynamic probabilistic packet marking for efficient IP traceback, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.3, p.866-882, February, 2007
Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.14-25, February 2007
Robert Beverly , Steven Bauer, The spoofer project: inferring the extent of source address filtering on the internet, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.8-8, July 07, 2005, Cambridge, MA
Cliff C. Zou , Nick Duffield , Don Towsley , Weibo Gong, Adaptive defense against various network attacks, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.10-10, July 07, 2005, Cambridge, MA
Xin Liu , Xiaowei Yang , David Wetherall , Thomas Anderson, Efficient and secure source authentication with packet passports, Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, p.2-2, July 07, 2006, San Jose, CA
Erol Gelenbe , George Loukas, A self-aware approach to denial of service defence, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1299-1314, April, 2007
Heejo Lee , Minjin Kwon , Geoffrey Hasker , Adrian Perrig, BASE: an incrementally deployable mechanism for viable IP spoofing prevention, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
Hikmat Farhat, Protecting TCP services from denial of service attacks, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.155-160, September 11-15, 2006, Pisa, Italy
Songjie Wei , Jelena Mirkovic, Building Reputations for Internet Clients, Electronic Notes in Theoretical Computer Science (ENTCS), 179, p.17-30, July, 2007
Xin Liu , Ang Li , Xiaowei Yang , David Wetherall, Passport: secure and adoptable source authentication, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.365-378, April 16-18, 2008, San Francisco, California
Roman Chertov , Sonia Fahmy , Ness B. Shroff, Fidelity of network simulation and emulation: A case study of TCP-targeted denial of service attacks, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.19 n.1, p.1-29, December 2008
Craig A. Shue , Minaxi Gupta , Matthew P. Davy, Packet forwarding with source verification, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.8, p.1567-1582, June, 2008
Bin Xiao , Wei Chen , Yanxiang He, An autonomous defense against SYN flooding attacks: Detect and throttle attacks at the victim side independently, Journal of Parallel and Distributed Computing, v.68 n.4, p.456-470, April, 2008
Changxi Zheng , Lusheng Ji , Dan Pei , Jia Wang , Paul Francis, A light-weight distributed scheme for detecting ip prefix hijacks in real-time, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Jun Li , Jelena Mirkovic , Toby Ehrenkranz , Mengqiu Wang , Peter Reiher , Lixia Zhang, Learning the valid incoming direction of IP packets, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.2, p.399-417, February, 2008
Yang Xiang , Wanlei Zhou, Protecting information infrastructure from DDoS attacks by MADF, International Journal of High Performance Computing and Networking, v.4 n.5/6, p.357-367, May 2006
Turgay Korkmaz , Chao Gong , Kamil Sarac , Sandra G. Dykes, Single packet IP traceback in AS-level partial deployment scenario, International Journal of Security and Networks, v.2 n.1/2, p.95-108, March 2007
Xiaobo Zhou , Dennis Ippoliti , Terrance Boult, Hop-count based probabilistic packet dropping: Congestion mitigation with loss rate differentiation, Computer Communications, v.30 n.18, p.3859-3869, December, 2007
Gal Badishi , Amir Herzberg , Idit Keidar, Keeping Denial-of-Service Attackers in the Dark, IEEE Transactions on Dependable and Secure Computing, v.4 n.3, p.191-204, July 2007
Ruiliang Chen , Jung-Min Park , Randolph Marchany, A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks, IEEE Transactions on Parallel and Distributed Systems, v.18 n.5, p.577-588, May 2007
Brian Eriksson , Paul Barford , Robert Nowak, Network discovery from passive measurements, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
Hiroshi Tsunoda , Kohei Ohta , Atsunori Yamamoto , Nirwan Ansari , Yuji Waizumi , Yoshiaki Nemoto, Detecting DRDoS attacks by a simple response packet confirmation mechanism, Computer Communications, v.31 n.14, p.3299-3306, September, 2008
Haidar Safa , Mohamad Chouman , Hassan Artail , Marcel Karam, A collaborative defense mechanism against SYN flooding attacks in IP networks, Journal of Network and Computer Applications, v.31 n.4, p.509-534, November, 2008
Minho Sung , Jun Xu , Jun Li , Li Li, Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1253-1266, December 2008
Yi Xie , Shun-Zheng Yu, A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors, IEEE/ACM Transactions on Networking (TON), v.17 n.1, p.54-65, February 2009
Chuan Yue , Haining Wang, Profit-aware overload protection in E-commerce Web sites, Journal of Network and Computer Applications, v.32 n.2, p.347-356, March, 2009
H. Alipour , M. Esmaeili , Kashefi Kia, Supporting security against SYN flooding attacks in distributed denial-of-service via measuring internet protocol flow information export-based traffic, International Journal of Electronic Security and Digital Forensics, v.2 n.1, p.49-57, March 2009
Toby Ehrenkranz , Jun Li, On the state of IP spoofing defense, ACM Transactions on Internet Technology (TOIT), v.9 n.2, p.1-29, May 2009
S. Malliga , A. Tamilarasi, Collaborative Framework for Detection, Prevention, and Traceback of Flooding Attacks Using Marking and Filtering, Information Security Journal: A Global Perspective, v.18 n.2, p.74-86, January 2009
Igor Kotenko , Alexander Ulanov, Agent-based modeling and simulation of network softbots' competition, Proceeding of the 2006 conference on Knowledge-Based Software Engineering: Proceedings of the Seventh Joint Conference on Knowledge-Based Software Engineering, p.243-252, May 21, 2006
Patrick P. C. Lee , Tian Bu , Thomas Woo, On the detection of signaling DoS attacks on 3G/WiMax wireless networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.53 n.15, p.2601-2616, October, 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS


General Terms:
Algorithms, Performance, Security


Keywords:
DDoS defense, TTL, host-based, networking, security

Collaborative Colleagues:
Cheng Jin: colleagues
Haining Wang: colleagues
Kang G. Shin: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player