Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Adjusted Probabilistic Packet Marking for IP Traceback
NETWORKING '02 Proceedings of the Second International IFIP-TC6 Networking Conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; and Mobile and Wireless Communications
A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors
IEEE/ACM Transactions on Networking (TON)
Towards automatic security management: a model-based approach
Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop
Hi-index | 0.01 |
Due to proliferation of diverse network applications, DoS/DDoS attacks are evolving. Many studies have been performed and implemented in on/off-line network devices such as routers and IDS/IPS. While IDS/IPS is powerful enough to handle deep packet inspection (DPI) tasks, routers are better suited in real-time and line-speed processing requirements. Since the routers are designed to handle IP packet header information, if one can devise an DoS/DDoS detection/prevention methods that utilizes the router specific features it will be best for the in-line and real-time processing. We introduce a Flow based DoS/DDoS detection algorithm(FDDA) that detects Distributed Denial of Service (DDoS) attacks by monitoring TTL and ID fields of incoming packet's IP header. As DDoS attacks are based on IP source address spoofing, the TTL and ID fields may have abnormal behavior. The device keeps track of 8-tuple flow table. The behavior of these two fields is monitored to determine DoS/DDoS attack situation. The effectiveness of our method is such that it is implemented flow-based routers and devices.