Elements of information theory
Elements of information theory
Summary cache: a scalable wide-area web cache sharing protocol
IEEE/ACM Transactions on Networking (TON)
Using router stamping to identify the source of IP packets
Proceedings of the 7th ACM conference on Computer and communications security
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Protecting web servers from distributed denial of service attacks
Proceedings of the 10th international conference on World Wide Web
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Network support for IP traceback
IEEE/ACM Transactions on Networking (TON)
Trajectory sampling for direct traffic observation
IEEE/ACM Transactions on Networking (TON)
An analysis of using reflectors for distributed denial-of-service attacks
ACM SIGCOMM Computer Communication Review
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
Efficient packet marking for large-scale IP traceback
Proceedings of the 9th ACM conference on Computer and communications security
IEEE/ACM Transactions on Networking (TON)
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Sustaining Availability of Web Services under Distributed Denial of Service Attacks
IEEE Transactions on Computers
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A framework for classifying denial of service attacks
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Hop-count filtering: an effective defense against spoofed DDoS traffic
Proceedings of the 10th ACM conference on Computer and communications security
Alliance formation for DDoS defense
Proceedings of the 2003 workshop on New security paradigms
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Tracing Anonymous Packets to Their Approximate Source
LISA '00 Proceedings of the 14th USENIX conference on System administration
Trade-offs in probabilistic packet marking for IP traceback
Journal of the ACM (JACM)
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
IEEE Transactions on Parallel and Distributed Systems
Demonstration experiments towards practical IP traceback on the internet
CCNC'10 Proceedings of the 7th IEEE conference on Consumer communications and networking conference
Intra-domain IP traceback using OSPF
Computer Communications
Review: Analyzing well-known countermeasures against distributed denial of service attacks
Computer Communications
AK-PPM: an authenticated packet attribution scheme for mobile ad hoc networks
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
NSS'12 Proceedings of the 6th international conference on Network and System Security
A fast indexing algorithm optimization with user behavior pattern
ICPCA/SWS'12 Proceedings of the 2012 international conference on Pervasive Computing and the Networked World
Hi-index | 0.00 |
Tracing attack packets to their sources, known as IP traceback, is an important step to counter distributed denial-of-service (DDoS) attacks. In this paper, we propose a novel packet logging based (i.e., hash-based) traceback scheme that requires an order of magnitude smaller processing and storage cost than the hash-based scheme proposed by Snoeren et al. [1], thereby being able to scalable to much higher link speed (e.g., OC-768). The base-line idea of our approach is to sample and log a small percentage (e.g., 3.3%) of packets. The challenge of this low sampling rate is that much more sophisticated techniques need to be used for traceback. Our solution is to construct the attack tree using the correlation between the attack packets sampled by neighboring routers. The scheme using naive independent random sampling does not perform well due to the low correlation between the packets sampled by neighboring routers. We invent a sampling scheme that improves this correlation and the overall efficiency significantly. Another major contribution of this work is that we introduce a novel information-theoretic framework for our traceback scheme to answer important questions on system parameter tuning and the fundamental tradeoff between the resource used for traceback and the traceback accuracy. Simulation results based on real-world network topologies (e.g., Skitter) match very well with results from the information-theoretic analysis. The simulation results also demonstrate that our traceback scheme can achieve high accuracy, and scale very well to a large number of attackers (e.g., 5000+).