Defeating reflector attacks: Signature conflict triggered filtering

Distributed Denial of Service (DDoS) attacks are a severe threat to internet security. The use of reflectors in launching DDoS attacks makes it particularly difficult to defend against. Not only do reflectors hide the identity of the actual zombies, they may also act as amplifying subnets. The attack evades the local intrusion detection systems at the reflector end since the volume of the attack traffic at each reflector is relatively very small. There is a need for a mechanism to effectively deal with such attacks and to identify the zombies involved. In this paper, we solve the dual problem of mitigating reflector attacks and identifying the zombies involved in an attack, by proposing the Signature Conflict Triggered Filtering (SCTF) mechanism. SCTF is an extremely novel concept, because it is detects a zombie's spoofed attack traffic based on the characteristic signature that each legitimate packet from the victim must carry. Unlike defences based at the victim end, we use edge router(s) of the reflector(s) for the detection of attack traffic, thereby mitigating the attack very effectively. Once the attack packets are identified, an IP Traceback scheme like Deterministic Edge Route Marking, running at the reflector end can track the zombies involved in the attack. Since the signature of legitimate traffic is used to identify and filter the attack traffic, this scheme does not suffer from any collateral damage (No legitimate traffic is filtered). SCTF can operate in intensive reflector attacks that utilize a large number of reflectors and are very scalable. The scheme assumes that routers are not compromised and requires reasonable extra space and processing in routers.