TY - GEN
T1 - Defeating reflector attacks
T2 - 5th European Conference on Information Warfare and Security 2006, ECIW 2006
AU - Mittal, Prateek
AU - Barua, Gautam
AU - Narang, Sameer
PY - 2006/12/1
Y1 - 2006/12/1
N2 - Distributed Denial of Service (DDoS) attacks are a severe threat to internet security. The use of reflectors in launching DDoS attacks makes it particularly difficult to defend against. Not only do reflectors hide the identity of the actual zombies, they may also act as amplifying subnets. The attack evades the local intrusion detection systems at the reflector end since the volume of the attack traffic at each reflector is relatively very small. There is a need for a mechanism to effectively deal with such attacks and to identify the zombies involved. In this paper, we solve the dual problem of mitigating reflector attacks and identifying the zombies involved in an attack, by proposing the Signature Conflict Triggered Filtering (SCTF) mechanism. SCTF is an extremely novel concept, because it is detects a zombie's spoofed attack traffic based on the characteristic signature that each legitimate packet from the victim must carry. Unlike defences based at the victim end, we use edge router(s) of the reflector(s) for the detection of attack traffic, thereby mitigating the attack very effectively. Once the attack packets are identified, an IP Traceback scheme like Deterministic Edge Route Marking, running at the reflector end can track the zombies involved in the attack. Since the signature of legitimate traffic is used to identify and filter the attack traffic, this scheme does not suffer from any collateral damage (No legitimate traffic is filtered). SCTF can operate in intensive reflector attacks that utilize a large number of reflectors and are very scalable. The scheme assumes that routers are not compromised and requires reasonable extra space and processing in routers.
AB - Distributed Denial of Service (DDoS) attacks are a severe threat to internet security. The use of reflectors in launching DDoS attacks makes it particularly difficult to defend against. Not only do reflectors hide the identity of the actual zombies, they may also act as amplifying subnets. The attack evades the local intrusion detection systems at the reflector end since the volume of the attack traffic at each reflector is relatively very small. There is a need for a mechanism to effectively deal with such attacks and to identify the zombies involved. In this paper, we solve the dual problem of mitigating reflector attacks and identifying the zombies involved in an attack, by proposing the Signature Conflict Triggered Filtering (SCTF) mechanism. SCTF is an extremely novel concept, because it is detects a zombie's spoofed attack traffic based on the characteristic signature that each legitimate packet from the victim must carry. Unlike defences based at the victim end, we use edge router(s) of the reflector(s) for the detection of attack traffic, thereby mitigating the attack very effectively. Once the attack packets are identified, an IP Traceback scheme like Deterministic Edge Route Marking, running at the reflector end can track the zombies involved in the attack. Since the signature of legitimate traffic is used to identify and filter the attack traffic, this scheme does not suffer from any collateral damage (No legitimate traffic is filtered). SCTF can operate in intensive reflector attacks that utilize a large number of reflectors and are very scalable. The scheme assumes that routers are not compromised and requires reasonable extra space and processing in routers.
KW - DDoS
KW - IP trace back
KW - Reflector attacks
UR - http://www.scopus.com/inward/record.url?scp=84873850654&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84873850654&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84873850654
SN - 9781622765317
T3 - 5th European Conference on Information Warfare and Security 2006, ECIW 2006
SP - 169
EP - 176
BT - 5th European Conference on Information Warfare and Security 2006, ECIW 2006
Y2 - 1 June 2006 through 2 June 2006
ER -