A novel deterministic packet marking (DPM) for IP traceback against denial of service (DOS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In th...A novel deterministic packet marking (DPM) for IP traceback against denial of service (DOS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In this scheme, an ingress router pre-calculates a Hash of its IP address and splits the Hash into several fragments. When marking a packet, the router randomly selects a fragment to mark into the packet. In the traceback stage the victim identifies the marked router with the help of the map of its upstream routers. Based on the map, the victim can identify a candidate ingress router after receiving only several marked packets. The scheme overcomes defects in previous deterministic packet marking schemes, where too much packets are required to recover a router and high false positive rate occurs in case of large-scale DDoS. Theoretical analysis, the pseudo code and experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.展开更多
IP traceback technology is an important means combating Denial of Service (DoS) attacks in the Internet.Based on Deterministic Packet Marking and Probabilistic Packet Marking, this paper proposes a new IP tracebacksch...IP traceback technology is an important means combating Denial of Service (DoS) attacks in the Internet.Based on Deterministic Packet Marking and Probabilistic Packet Marking, this paper proposes a new IP tracebackscheme which is both efficient and robust against mark field spoofing.展开更多
基金supported by the Hi-Tech Research and Development Program of China (2009AA01Z433)
文摘A novel deterministic packet marking (DPM) for IP traceback against denial of service (DOS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In this scheme, an ingress router pre-calculates a Hash of its IP address and splits the Hash into several fragments. When marking a packet, the router randomly selects a fragment to mark into the packet. In the traceback stage the victim identifies the marked router with the help of the map of its upstream routers. Based on the map, the victim can identify a candidate ingress router after receiving only several marked packets. The scheme overcomes defects in previous deterministic packet marking schemes, where too much packets are required to recover a router and high false positive rate occurs in case of large-scale DDoS. Theoretical analysis, the pseudo code and experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.
文摘IP traceback technology is an important means combating Denial of Service (DoS) attacks in the Internet.Based on Deterministic Packet Marking and Probabilistic Packet Marking, this paper proposes a new IP tracebackscheme which is both efficient and robust against mark field spoofing.