On Tracing and Mitigating Distributed Denial of Service Attacks

摘要

The CSI/FBI surveys have been revealing that the (distributed) denial of service ((D)DoS) attacks are still a major concern leading to a significant revenue loss for many organizations. This talk will provide a brief overview on how to trace back and defend DoS/DDoS attacks, namely, IP traceback and DDoS defense. IP traceback attempts to identify attack sources, i.e., from where the attack traffic comes. We first analyze and evaluate several recently proposed schemes, such as Probabilistic Packet Marking (PPM), iTrace, Hash-based traceback, CenterTrack, and traffic pattern based traceback. We will then present our schemes, including Deterministic Packet Marking (DPM) and Autonomous System-based Edge Marking (ASEM). DPM conducts marking only at the ingress interfaces of the edge routers, thus posing little burden on routers and reducing the router involvement. It is easy and simple to implement. DPM can also address reflective DDoS attacks as long as certain "trust" relationship is maintained between adjacent domains. On the other hand, ASEM aims to improve upon PPM and exhibits three salient benefits: 1) it significantly reduces the computational burden by introducing a new marking policy and using the optimal marking probability, 2) it completely eradicates the spoofed marking intentionally inscribed by the attacker, and 3) it is capable of handling subverted routers by coupling routing and marking information. The second part of this talk discusses DDoS defense schemes, including PacketScore, SYN flood detection, pushback, Puzzle-based defense, and Honey pot. Finally, we briefly outline our proposed comprehensive DDoS defense framework, and future works.