On the effectiveness of flexible deterministic packet marking for DDoS defense

Abstract

IP traceback is one of the defense mechanisms for Distributed Denial of Service (DDoS) attacks. However, most traceback schemes consume extensive resources such as CPU, memory, disk storage and bandwidth and require a large amount of IP packets to reconstruct sources, which makes them impractical and ineffective. In this paper, we present a new flexible IP traceback scheme called Flexible Deterministic Packet Marking (FDPM). The flexibilities of FDPM are in two ways, one is that it can adjust the length of marking field according to the network protocols deployed, thus it can work well even in an environment with different network protocols; the other is that it can adjust the marking rate according to the load of participating router, while it still can maintain the marking function. In order to verify the effectiveness of FDPM for DDoS defense in terms of marking efficiency, maximum forwarding rate, and number of packets for reconstruction, we tested FDPM by both simulation and Linux router implementation with an emphasis on the latter. The experiments demonstrate that the built-in overload prevention mechanism, flow-based marking, can isolate and mark the most possible DDoS attack packets, while keeping the load of the participating router in a reasonably low degree. The real hardware implementation confirms that this flexible capability is important when traceback mechanisms are used in a real DDoS defense scenario

    Similar works

    Full text

    thumbnail-image

    Available Versions