By Topic

Packet filtering to defend flooding-based DDoS attacks [Internet denial-of-service attacks]

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Yen-Hung Hu ; Dept. of Comput. Sci., George Washington Univ., DC, USA ; Hongsik Choi ; Choi, H.-A.

Our proposed scheme seeks to defend flooding distributed denial-of-service (DDoS) attacks in the Internet. An easy, yet very disruptive, way to cause unfairness to the legitimate users is to deplete the network bandwidth by sending high rate unresponsive flows from multiple sources. The network congestion created by such malicious flows causes most legitimate packets to be dropped at routers without reaching their destinations. Congestion control in IP networks is typically done at each router through queue management, and the network is entirely dependent on the end hosts to react to congestion. However, when the network is under attacks which use packet floods, existing queue management algorithms reveal significant shortcomings in protecting legitimate flows. In this paper, we propose a novel scheme for congestion control in IP networks to defend against DDoS attacks. Our approach is a time-window based filtering mechanism, processed before a queue management policy is applied. Setting the window size properly, and dropping packets reaching into the next window, can catch the non-responsive nature of misbehaving flows. The performance of our proposed scheme is demonstrated through extensive simulations with the NS2 simulator, using a set of simulated traffic generated based on IP traces reported in http://www.nlnar.org.

Published in:

Advances in Wired and Wireless Communication, 2004 IEEE/Sarnoff Symposium on

Date of Conference:

26-27 Apr 2004