Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Intelligent DDoS Packet Filtering in High-Speed Networks

  • Conference paper
Parallel and Distributed Processing and Applications (ISPA 2005)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3758))

Abstract

Currently high-speed networks have been attacked by successive waves of Distributed Denial of Service (DDoS) attacks. There are two major challenges on DDoS defense in the high-speed networks. One is to sensitively and accurately detect attack traffic, and the other is to filter out the attack traffic quickly, which mainly depends on high-speed packet classification. Unfortunately most current defense approaches can not efficiently detect and quickly filter out attack traffic. Our approach is to find the network anomalies by using neural network, deploy the system at distributed routers, identify the attack packets, and then filter them quickly by a Bloom filter-based classifier. The evaluation results show that this approach can be used to defend against both intensive and subtle DDoS attacks, and can catch DDoS attacks’ characteristic of starting from multiple sources to a single victim. The simple complexity, high classification speed and low storage requirements make it especially suitable for DDoS defense in high-speed networks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Aljifri, H.: IP Traceback: A New Denial-of-Service Deterrent? IEEE Security & Privacy 1(3), 24–31 (2003)

    Article  Google Scholar 

  2. Bernardo, J.M., Smith, A.F.M.: Bayesian Theory. John Wiley and Sons, England (1994)

    Book  MATH  Google Scholar 

  3. Broder, A., Mitzenmacher, M.: Network Applications of Bloom Filters: A Survey. Internet Mathematics 1(4), 485–509 (2003)

    Article  MathSciNet  Google Scholar 

  4. Computer Emergency Response Team, CERT (2004), http://www.cert.org

  5. Ferguson, P., Senie, D.: RFC 2267 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. Network Working Group (1998)

    Google Scholar 

  6. Floyd, S., Jacobson, V.: Random Early Detection Gateways for Congestion Avoidance. IEEE/ACM Transactions on Networking 1(4), 397–413 (1993)

    Article  Google Scholar 

  7. Garber, L.: Denial-of-Service Attacks Rip the Internet. Computer 33(4), 12–17 (2000)

    Article  Google Scholar 

  8. Gevros, P., Crowcroft, J., Kirstein, P., Bhatti, S.: Congestion Control Mechanisms and the Best Effort Service Model. IEEE Network 15(3), 16–26 (2001)

    Article  Google Scholar 

  9. Gupta, P., McKeown, N.: Packet classification on Multiple Fields. ACM SIGCOMM, 147–160 (1999)

    Google Scholar 

  10. Gupta, P., McKeown, N.: Classification Using Hierarchical Intelligent Cuttings. IEEE Micro 20(1), 34–41 (2000)

    Article  Google Scholar 

  11. Gupta, P., McKeown, N.: Algorithms for Packet Classification. IEEE Network 15(2), 24–32 (2001)

    Article  Google Scholar 

  12. Haykin, S.: Neural Networks: A Comprehensive Foundation, 2nd edn. Prentice-Hall, Englewood Cliffs (1998)

    Google Scholar 

  13. Jin, C., Wang, H., Shin, K.G.: Hop-count Filtering: An Effective Defense Against Spoofed DDoS Traffic. In: Proc. of the 10th ACM Conference on Computer and Communication Security (CCS 2003), pp. 30–41 (2003)

    Google Scholar 

  14. Jin, S., Yeung, D.S.: A Covariance Analysis Model for DDoS Attack Detection. In: 2004 IEEE International Conference on Communications, vol. 4, pp. 1882–1886 (2004)

    Google Scholar 

  15. Kim, Y., Jo, J.-Y., Merat, F.L.: Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking. In: IEEE GLOBECOM 2003, pp. 1363–1367 (2003)

    Google Scholar 

  16. Lakshman, T.V., Stidialis, D.: High speed policy-based packet forwarding using efficient multi-dimensional range matching. In: ACM SIGCOMM, pp. 191–202 (1998)

    Google Scholar 

  17. Li, M., Chi, C., Jia, W., Zhao, W., Zhou, W., Cao, J., Long, D., Meng, Q.: Decision Analysis of Statistically Detecting Distributed Denial-of-Service Flooding Attacks. International Journal of Information Technology and Decision Making 2(3), 397–405 (2003)

    Article  Google Scholar 

  18. Mahajan, R., Bellovin, S.M., Floyd, S.: Controlling High Bandwidth Aggregates in the Network. Computer Communications Review 32(3), 62–73 (2002)

    Article  Google Scholar 

  19. Memory-Memory, http://www.memorymemory.com

  20. MIT 1998 DARPA Intrusion Detection Evaluation Data Set (1998), http://www.ll.mit.edu/IST/ideval/data/1998/1998_data_index.html

  21. Mukkamala, S., Sung, A.H.: Detecting Denial of Service Attacks Using Support Vector Machines. In: The IEEE International Conference on Fuzzy Systems 2003, pp. 1231–1236 (2003)

    Google Scholar 

  22. MĂĽller, B., Reinhardt, J., Strickland, M.T.: Neural Networks: An Introduction, 2nd edn. Springer, New York (1995)

    MATH  Google Scholar 

  23. Neumann, P.G.: Denial-of-Service Attacks. Communications of the ACM 43(4), 136 (2000)

    Article  Google Scholar 

  24. Ott, T.J., Lakshman, T.V., Wong, L.H.: SRED: Stabilized RED. In: IEEE INFOCOM 1999, pp. 1346–1355 (1999)

    Google Scholar 

  25. Park, K., Lee, H.: On the Effectiveness of Route-based Packet Filtering For Distributed DoS Attack Prevention in Power-law Internet. In: ACM SIGCOMM 2001, pp. 15–26 (2001)

    Google Scholar 

  26. Pollak, M.: Optimal detection of a change in distribution. Ann. Statist. 13, 206–227 (1986)

    Article  MathSciNet  Google Scholar 

  27. Sangpachatanaruk, C., Khattab, S.M., Znati, T., Melhem, R., Mosse, D.: A Simulation Study of the Proactive Server Roaming for Mitigating Denial of Service Attacks. In: Proc. of the 36th Annual Simulation Symposium, ANSS 2003 (2003)

    Google Scholar 

  28. Srinivasan, V., Suri, S., Varghese, G.: Packet Classification Using Tuple Space Search. In: ACM SIGCOMM, pp. 135–146 (1999)

    Google Scholar 

  29. Sanitized UCLA CSD traffic traces, http://lever.cs.ucla.edu/ddos/traces/

  30. Xiang, Y., Zhou, W., Rough, J.: Trace IP Packets by Flexible Deterministic Packet Marking (FDPM). In: IEEE International Workshop on IP Operations & Management, IPOM 2004 (2004)

    Google Scholar 

  31. Xiang, Y., Zhou, W.: Mark-Aided Distributed Filtering by Using Neural Network for DDoS Defense. In: IEEE GLOBECOM 2005 (2005)

    Google Scholar 

  32. Yaar, A., Perrig, A., Song, D.: Pi: A Path Identification Mechanism to Defend against DDoS Attacks. In: 2003 IEEE Symposium on Security and Privacy, pp. 93–107 (2003)

    Google Scholar 

  33. Yan, J., Early, S., Anderson, R.: The XenoService A Distributed Defeat for Distributed Denial of Service. In: ISW 2000 (2000)

    Google Scholar 

  34. Zhang, Z., Manikopoulos, C.N.: Detecting Denial-of-Service Attacks through Feature Cross-Correlation. In: 2004 IEEE/Sarnoff Symposium on Advances in Wired and Wireless Communication, pp. 67–70 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Information Technology, Deakin University, Melbourne Campus, Burwood, 3125, Australia

    Yang Xiang & Wanlei Zhou

Authors
  1. Yang Xiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wanlei Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dept. of CS, Georgia State University, 30302, Atlanta, GA, USA

    Yi Pan

  2. State Key Laboratory for Novel Software Technology, Nanjing University, 210093, Nanjing, Jiangsu, China

    Daoxu Chen

  3. Department of Computer Science and Engineering, Shanghai Jiao Tong University, 200030, Shanghai, China

    Minyi Guo

  4. Department of Computing, Hong Kong Polytechnic University, Kowloon, Hong Kong, China

    Jiannong Cao

  5. Computer Science Department, University of Tennessee, 37996-3450, Knoxville, TN, USA

    Jack Dongarra

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Xiang, Y., Zhou, W. (2005). Intelligent DDoS Packet Filtering in High-Speed Networks. In: Pan, Y., Chen, D., Guo, M., Cao, J., Dongarra, J. (eds) Parallel and Distributed Processing and Applications. ISPA 2005. Lecture Notes in Computer Science, vol 3758. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11576235_42

Download citation

  • DOI: https://doi.org/10.1007/11576235_42

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-29769-7

  • Online ISBN: 978-3-540-32100-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation