Packet-Marking Scheme for DDoS Attack Prevention

Abstract

Abstract One of the main difficulties in the detection and prevention of Distributed Denial of Service (DDoS) attacks is that the incoming packets cannot be traced back to the source of the attack, because (typically) they contain invalid or spoofed source IP address. For that reason, a victim system cannot determine whether an incoming packet is part of a DDoS attack or belongs to a legitimate user. Various methods have been proposed to solve the problem of IP traceback for large packet flows. These methods rely on the assumption that they can gather a sufficient number of packets from the same source, in order to reconstruct the traversed path or to determine the source address. In this paper we introduce a packet marking scheme which enables the unique identification of the path that each incoming packet has traversed, relying only on the information inside that packet. We show how the proposed scheme enables real time identification and filtering of the DDoS attack traffic. The proposed scheme is simple to implement, introduces no bandwidth overhead, low computational overhead and has low fault probability. Using the above metrics, we compare our proposed scheme with existing marking schemes and demonstrate its advantages over them. Finally, we introduce a method that can be used post mortem, in order to determine the source IP address of the attacking systems (up to the nearest router to the source)