Defeating reflector attacks: Signature conflict triggered filtering

Prateek Mittal, Gautam Barua, Sameer Narang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

Distributed Denial of Service (DDoS) attacks are a severe threat to internet security. The use of reflectors in launching DDoS attacks makes it particularly difficult to defend against. Not only do reflectors hide the identity of the actual zombies, they may also act as amplifying subnets. The attack evades the local intrusion detection systems at the reflector end since the volume of the attack traffic at each reflector is relatively very small. There is a need for a mechanism to effectively deal with such attacks and to identify the zombies involved. In this paper, we solve the dual problem of mitigating reflector attacks and identifying the zombies involved in an attack, by proposing the Signature Conflict Triggered Filtering (SCTF) mechanism. SCTF is an extremely novel concept, because it is detects a zombie's spoofed attack traffic based on the characteristic signature that each legitimate packet from the victim must carry. Unlike defences based at the victim end, we use edge router(s) of the reflector(s) for the detection of attack traffic, thereby mitigating the attack very effectively. Once the attack packets are identified, an IP Traceback scheme like Deterministic Edge Route Marking, running at the reflector end can track the zombies involved in the attack. Since the signature of legitimate traffic is used to identify and filter the attack traffic, this scheme does not suffer from any collateral damage (No legitimate traffic is filtered). SCTF can operate in intensive reflector attacks that utilize a large number of reflectors and are very scalable. The scheme assumes that routers are not compromised and requires reasonable extra space and processing in routers.

Original languageEnglish (US)
Title of host publication5th European Conference on Information Warfare and Security 2006, ECIW 2006
Pages169-176
Number of pages8
StatePublished - Dec 1 2006
Externally publishedYes
Event5th European Conference on Information Warfare and Security 2006, ECIW 2006 - Helsinki, Finland
Duration: Jun 1 2006Jun 2 2006

Publication series

Name5th European Conference on Information Warfare and Security 2006, ECIW 2006

Other

Other5th European Conference on Information Warfare and Security 2006, ECIW 2006
Country/TerritoryFinland
CityHelsinki
Period6/1/066/2/06

All Science Journal Classification (ASJC) codes

  • Information Systems
  • Safety, Risk, Reliability and Quality

Keywords

  • DDoS
  • IP trace back
  • Reflector attacks

Fingerprint

Dive into the research topics of 'Defeating reflector attacks: Signature conflict triggered filtering'. Together they form a unique fingerprint.

Cite this