Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.
RFC Downloads
Cited By
- Chen X, Wu C, Liu X, Huang Q, Zhang D, Zhou H, Yang Q and Khan M (2023). Empowering Network Security With Programmable Switches: A Comprehensive Survey, IEEE Communications Surveys & Tutorials, 25:3, (1653-1704), Online publication date: 1-Jul-2023.
- Wu X, Wang X and Xing Q Identity-Based Authentication Protocol for Trustworthy IP Address Proceedings of the 2022 12th International Conference on Communication and Network Security, (58-63)
- Jevtic S, Lotfalizadeh H and Kim D Toward Network-based DDoS Detection in Software-defined Networks Proceedings of the 12th International Conference on Ubiquitous Information Management and Communication, (1-8)
- Sharma K, Yadav S and Arora A (2018). Security Integration in DDoS Attack Mitigation Using Access Control Lists, International Journal of Information System Modeling and Design, 9:1, (56-76), Online publication date: 1-Jan-2018.
- Ngo D, Pham-Quoc C, Ngoc Thinh T and Kamioka E (2018). An Efficient High-Throughput and Low-Latency SYN Flood Defender for High-Speed Networks, Security and Communication Networks, 2018, Online publication date: 1-Jan-2018.
- Mirkovic J, Kline E and Reiher P RESECT Proceedings of the 33rd Annual Computer Security Applications Conference, (474-485)
- Tiloca M, Gehrmann C and Seitz L (2017). On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake, International Journal of Information Security, 16:2, (173-193), Online publication date: 1-Apr-2017.
- Savola R, Savolainen P and Salonen J Towards security metrics-supported IP traceback Proccedings of the 10th European Conference on Software Architecture Workshops, (1-5)
- Moura G, Schmidt R, Heidemann J, de Vries W, Muller M, Wei L and Hesselman C Anycast vs. DDoS Proceedings of the 2016 Internet Measurement Conference, (255-270)
- Xiao Z, Kathiresshan N and Xiao Y (2016). A survey of accountability in computer networks and distributed systems, Security and Communication Networks, 9:4, (290-315), Online publication date: 10-Mar-2016.
- Yan Q, Yu F, Gong Q and Li J (2016). Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges, IEEE Communications Surveys & Tutorials, 18:1, (602-622), Online publication date: 1-Jan-2016.
- Schmerl B, Cámara J, Gennari J, Garlan D, Casanova P, Moreno G, Glazier T and Barnes J Architecture-based self-protection Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, (1-12)
- Serpanos D and Voyiatzis A (2013). Security challenges in embedded systems, ACM Transactions on Embedded Computing Systems, 12:1s, (1-10), Online publication date: 1-Mar-2013.
- Tupakula U, Varadharajan V and Vuppala S Counteracting DDoS attacks in WLAN Proceedings of the 4th international conference on Security of information and networks, (119-126)
- Park P, Yi H, Hong S and Ryu J An effective defense mechanism against DoS/DDoS attacks in flow-based routers Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia, (442-446)
- Zhang G, Jiang S, Wei G and Guan Q A prediction-based detection algorithm against distributed denial-of-service attacks Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly, (106-110)
- Huang T, Zeadally S, Chilamkurti N and Shieh C (2009). Design, implementation, and evaluation of a Programmable Bandwidth Aggregation System for home networks, Journal of Network and Computer Applications, 32:3, (741-759), Online publication date: 1-May-2009.
- Tupakula U, Varadharajan V and Pandalaneni S DoSTRACK Proceedings of the 2009 ACM symposium on Applied Computing, (47-53)
- Andersen D, Balakrishnan H, Feamster N, Koponen T, Moon D and Shenker S (2008). Accountable internet protocol (aip), ACM SIGCOMM Computer Communication Review, 38:4, (339-350), Online publication date: 1-Oct-2008.
- Andersen D, Balakrishnan H, Feamster N, Koponen T, Moon D and Shenker S Accountable internet protocol (aip) Proceedings of the ACM SIGCOMM 2008 conference on Data communication, (339-350)
- Srivatsa M, Iyengar A, Yin J and Liu L (2008). Mitigating application-level denial of service attacks on Web servers, ACM Transactions on the Web, 2:3, (1-49), Online publication date: 1-Jul-2008.
- Yen W and Sung J Dynamic Probabilistic Packet Marking with Partial Non-Preemption Proceedings of the 5th international conference on Ubiquitous Intelligence and Computing, (732-745)
- Yeo C, Lee B and Zhong F A mobile SIP Proceedings of the 2nd international conference on Ubiquitous information management and communication, (125-129)
- Lim T, Lee B, Yeo C and Tantra J A terminal-assisted route optimized NEMO management Proceedings of the 5th ACM international workshop on Mobility management and wireless access, (84-90)
- Atkinson R, Bhatti S and Hailes S A proposal for unifying mobility with multi-homing, NAT, & security Proceedings of the 5th ACM international workshop on Mobility management and wireless access, (74-83)
- Boteanu D, Fernandez J, McHugh J and Mullins J Queue management as a DoS counter-measure? Proceedings of the 10th international conference on Information Security, (263-280)
- Parno B, Wendlandt D, Shi E, Perrig A, Maggs B and Hu Y (2007). Portcullis, ACM SIGCOMM Computer Communication Review, 37:4, (289-300), Online publication date: 1-Oct-2007.
- Atkinson R, Bhatti S and Hailes S Mobility as an integrated service through the use of naming Proceedings of 2nd ACM/IEEE international workshop on Mobility in the evolving internet architecture, (1-6)
- Parno B, Wendlandt D, Shi E, Perrig A, Maggs B and Hu Y Portcullis Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, (289-300)
- Chen S, Tang Y and Du W (2007). Stateful DDoS attacks and targeted filtering, Journal of Network and Computer Applications, 30:3, (823-840), Online publication date: 1-Aug-2007.
- Bossardt M, Dübendorfer T and Plattner B (2007). Enhanced Internet security by a distributed traffic control service based on traffic ownership, Journal of Network and Computer Applications, 30:3, (841-857), Online publication date: 1-Aug-2007.
- Muthuprasanna M, Manimaran G and Wang Z Unified defense against DDoS attacks Proceedings of the 6th international IFIP-TC6 conference on Ad Hoc and sensor networks, wireless networks, next generation internet, (1047-1059)
- Gelenbe E and Loukas G (2007). A self-aware approach to denial of service defence, Computer Networks: The International Journal of Computer and Telecommunications Networking, 51:5, (1299-1314), Online publication date: 1-Apr-2007.
- Srivatsa M, Iyengar A, Yin J and Liu L A middleware system for protecting against application level denial of service attacks Proceedings of the 7th ACM/IFIP/USENIX international conference on Middleware, (260-280)
- Srivatsa M, Iyengar A, Yin J and Liu L A middleware system for protecting against application level denial of service attacks Proceedings of the ACM/IFIP/USENIX 2006 International Conference on Middleware, (260-280)
- Kim B Efficient technique for fast IP traceback Proceedings of the Third international conference on Cooperative Design, Visualization, and Engineering, (211-218)
- Mao Z, Sekar V, Spatscheck O, van der Merwe J and Vasudevan R Analyzing large DDoS attacks using multiple data sources Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, (161-168)
- Li L, Mahdian M and Mirrokni V Secure overlay network design Proceedings of the Second international conference on Algorithmic Aspects in Information and Management, (354-366)
- Kim B and Kim K A proposal of extension of FMS-Based mechanism to find attack paths Proceedings of the 2006 international conference on Computational Science and Its Applications - Volume Part III, (476-485)
- Shi Y and Yang X A novel architecture for detecting and defending against flooding-based DDoS attacks Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II, (364-374)
- Xiang Y and Zhou W Safeguard information infrastructure against DDoS attacks Proceedings of the 4th international conference on Cryptology and Network Security, (320-333)
- Gelenbe E Users and services in intelligent networks Proceedings of the First Asian Internet Engineering conference on Technologies for Advanced Heterogeneous Networks, (30-45)
- Wang H, Bose A, El-Gendy M and Shin K (2005). IP Easy-pass, IEEE/ACM Transactions on Networking, 13:6, (1247-1260), Online publication date: 1-Dec-2005.
- Xiang Y and Zhou W Intelligent DDoS packet filtering in high-speed networks Proceedings of the Third international conference on Parallel and Distributed Processing and Applications, (395-406)
- Jiang J, He C and Jiang L (2005). A novel mix-based location privacy mechanism in Mobile IPv6, Computers and Security, 24:8, (629-641), Online publication date: 1-Nov-2005.
- Lam P, Liew S and Lee J Cellular universal IP Proceedings of the 8th ACM international symposium on Modeling, analysis and simulation of wireless and mobile systems, (323-332)
- Law T, Lui J and Yau D (2005). You Can Run, But You Can't Hide, IEEE Transactions on Parallel and Distributed Systems, 16:9, (799-813), Online publication date: 1-Sep-2005.
- Xu Y and Guérin R (2005). On the robustness of router-based denial-of-service (DoS) defense systems, ACM SIGCOMM Computer Communication Review, 35:3, (47-60), Online publication date: 1-Jul-2005.
- Chen S and Song Q (2005). Perimeter-Based Defense against High Bandwidth DDoS Attacks, IEEE Transactions on Parallel and Distributed Systems, 16:6, (526-537), Online publication date: 1-Jun-2005.
- Eriksson J, Faloutsos M and Krishnamurthy S Justice Proceedings of the 4th IFIP-TC6 international conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communication Systems, (1206-1218)
- Adler M (2005). Trade-offs in probabilistic packet marking for IP traceback, Journal of the ACM, 52:2, (217-244), Online publication date: 1-Mar-2005.
- Lee J and de Veciana G (2005). Scalable multicast based filtering and tracing framework for defeating distributed DoS attacks, International Journal of Network Management, 15:1, (43-60), Online publication date: 1-Jan-2005.
- Wang X and Reiter M Mitigating bandwidth-exhaustion attacks using congestion puzzles Proceedings of the 11th ACM conference on Computer and communications security, (257-267)
- Wang H, Zhang D and Shin K (2004). Change-Point Monitoring for the Detection of DoS Attacks, IEEE Transactions on Dependable and Secure Computing, 1:4, (193-208), Online publication date: 1-Oct-2004.
- Buchholz F and Shields C (2004). Providing process origin information to aid in computer forensic investigations, Journal of Computer Security, 12:5, (753-776), Online publication date: 1-Sep-2004.
- Maltz D, Xie G, Zhan J, Zhang H, Hjálmtýsson G and Greenberg A (2004). Routing design in operational networks, ACM SIGCOMM Computer Communication Review, 34:4, (27-40), Online publication date: 30-Aug-2004.
- Maltz D, Xie G, Zhan J, Zhang H, Hjálmtýsson G and Greenberg A Routing design in operational networks Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, (27-40)
- Bremler-Barr A and Levy H Brief announcement Proceedings of the twenty-third annual ACM symposium on Principles of distributed computing, (375-375)
- Perera E, Sivaraman V and Seneviratne A (2004). Survey on network mobility support, ACM SIGMOBILE Mobile Computing and Communications Review, 8:2, (7-19), Online publication date: 1-Apr-2004.
- Tupakula U and Varadharajan V (2004). Tracing DDoS Floods, Journal of Network and Systems Management, 12:1, (111-135), Online publication date: 1-Mar-2004.
- Snoeren A and Raghavan B (2004). Decoupling policy from mechanism in Internet routing, ACM SIGCOMM Computer Communication Review, 34:1, (81-86), Online publication date: 1-Jan-2004.
- Jin C, Wang H and Shin K Hop-count filtering Proceedings of the 10th ACM conference on Computer and communications security, (30-41)
- Peng T, Leckie C and Ramamohanarao K Detecting distributed denial of service attacks by sharing distributed beliefs Proceedings of the 8th Australasian conference on Information security and privacy, (214-225)
- Song H and Kim H Cooperative routers against DoS attacks Proceedings of the 8th Australasian conference on Information security and privacy, (204-213)
- Yaar A, Perrig A and Song D Pi Proceedings of the 2003 IEEE Symposium on Security and Privacy
- Kim K, Hwang J, Kim B and Kim S Tagged fragment marking scheme with distance-weighted sampling for a fast IP traceback Proceedings of the 5th Asia-Pacific web conference on Web technologies and applications, (442-452)
- Tupakula U and Varadharajan V A practical method to counteract denial of service attacks Proceedings of the 26th Australasian computer science conference - Volume 16, (275-284)
- Snoeren A, Partridge C, Sanchez L, Jones C, Tchakountio F, Schwartz B, Kent S and Strayer W (2002). Single-packet IP traceback, IEEE/ACM Transactions on Networking, 10:6, (721-734), Online publication date: 1-Dec-2002.
- Daswani N and Garcia-Molina H Query-flood DoS attacks in gnutella Proceedings of the 9th ACM conference on Computer and communications security, (181-192)
- Buchholz F and Shields C Providing Process Origin Information to Aid in Network Traceback Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference, (261-274)
- Adler M Tradeoffs in probabilistic packet marking for IP traceback Proceedings of the thiry-fourth annual ACM symposium on Theory of computing, (407-418)
- Baba T and Matsuda S (2002). Tracing Network Attacks to Their Sources, IEEE Internet Computing, 6:2, (20-26), Online publication date: 1-Mar-2002.
- Snoeren A, Partridge C, Sanchez L, Jones C, Tchakountio F, Kent S and Strayer W (2001). Hash-based IP traceback, ACM SIGCOMM Computer Communication Review, 31:4, (3-14), Online publication date: 1-Oct-2001.
- Snoeren A, Partridge C, Sanchez L, Jones C, Tchakountio F, Kent S and Strayer W Hash-based IP traceback Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, (3-14)
- Kargl F, Maier J and Weber M Protecting web servers from distributed denial of service attacks Proceedings of the 10th international conference on World Wide Web, (514-524)
- Bruschi D and Rosti E Disarming offense to facilitate defense Proceedings of the 2000 workshop on New security paradigms, (69-75)
- Burch H Tracing Anonymous Packets to Their Approximate Source Proceedings of the 14th USENIX conference on System administration, (319-328)
- Doeppner T, Klein P and Koyfman A Using router stamping to identify the source of IP packets Proceedings of the 7th ACM conference on Computer and Communications Security, (184-189)
- Savage S, Wetherall D, Karlin A and Anderson T (2000). Practical network support for IP traceback, ACM SIGCOMM Computer Communication Review, 30:4, (295-306), Online publication date: 1-Oct-2000.
- Feldmann A, Greenberg A, Lund C, Reingold N, Rexford J and True F (2000). Deriving traffic demands for operational IP networks, ACM SIGCOMM Computer Communication Review, 30:4, (257-270), Online publication date: 1-Oct-2000.
- Savage S, Wetherall D, Karlin A and Anderson T Practical network support for IP traceback Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, (295-306)
- Feldmann A, Greenberg A, Lund C, Reingold N, Rexford J and True F Deriving traffic demands for operational IP networks Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, (257-270)
- Stone R Centertrack Proceedings of the 9th conference on USENIX Security Symposium - Volume 9, (15-15)
- Snoeren A and Balakrishnan H An end-to-end approach to host mobility Proceedings of the 6th annual international conference on Mobile computing and networking, (155-166)
- Perkins C (2000). Mobile IP and the IETF, ACM SIGMOBILE Mobile Computing and Communications Review, 4:1, (7-12), Online publication date: 1-Jan-2000.
- Zhao X, Castelluccia C and Baker M Flexible network support for mobility Proceedings of the 4th annual ACM/IEEE international conference on Mobile computing and networking, (145-156)
Recommendations
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Surviving Distributed Denial-of-Service Attacks
A series of distributed denial-of-service (DDoS) attacks were launched against computer systems and services in the US and South Korea beginning July 4th. A DDoS attack is an attempt to make a computer service unavailable to its intended users. The ...