Traceback-based Bloomfilter IPS in defending SYN flooding attack

Authors:
Huan-rong Tang;Chao Xu;Xin-gao Luo;Jian-quan OuYang
Affiliations:
Key Laboratory of Intelligent Computing & Information Processing, Xiangtan University, Ministry of Education, Xiangtan City, Hunan Province, China;Key Laboratory of Intelligent Computing & Information Processing, Xiangtan University, Ministry of Education, Xiangtan City, Hunan Province, China;Key Laboratory of Intelligent Computing & Information Processing, Xiangtan University, Ministry of Education, Xiangtan City, Hunan Province, China;Key Laboratory of Intelligent Computing & Information Processing, Xiangtan University, Ministry of Education, Xiangtan City, Hunan Province, China
Venue:
WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing
Year:
2009

Citing 8
Cited 2

Summary cache: a scalable wide-area Web cache sharing protocol

Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Space/time trade-offs in hash coding with allowable errors

Communications of the ACM
Compressed bloom filters

IEEE/ACM Transactions on Networking (TON)
Single-packet IP traceback

IEEE/ACM Transactions on Networking (TON)
Hop-count filtering: an effective defense against spoofed DDoS traffic

Proceedings of the 10th ACM conference on Computer and communications security
A taxonomy of DDoS attack and DDoS defense mechanisms

ACM SIGCOMM Computer Communication Review
Change-Point Monitoring for the Detection of DoS Attacks

IEEE Transactions on Dependable and Secure Computing
Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing

ICNICONSMCL '06 Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies

Proposal of privacy protection system for web forms using Bloom filter

Proceedings of the 6th International Conference on Ubiquitous Information Management and Communication
Survey Bloom filter applications in network security: A state-of-the-art survey

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Recently, the key of network security is turning from passive detection to active defense. However, most works focused on how fast it can detect the DDoS attack and start defence, and existing methods for differentiating DDoS attack packets, especially SYN flooding attacks, are too time-expensive. When SYN flooding started, victim servers have to call for a lot of memory, usually more than 500MB, to store the attack packets. To make the differentiating scheme more robust, we record the TCP session statistics (IP-TTL) of SYN packets in a Traceback-based Bloom Filter (TBF), and as the attacks start, we match the SYN packets and IP-TTL statistics to differentiate the attacks packets. In addition, we introduce the trace-back strategy to filter the frequently attacked TBF's IP. In comparison with current methods, the proposed approach can both hold back large-scale fake IP and defend IP Spoofing. Experiments verify that once applied the proposed method in Snort_inline, the hold back precision is 98.65% and the semi-join queue is almost empty, otherwise, the precision is near to zero and the semi-join queue is full.