An analysis of using reflectors for distributed denial-of-service attacks
ACM SIGCOMM Computer Communication Review
A framework for classifying denial of service attacks
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Hop-count filtering: an effective defense against spoofed DDoS traffic
Proceedings of the 10th ACM conference on Computer and communications security
Variability in TCP round-trip times
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Perimeter-Based Defense against High Bandwidth DDoS Attacks
IEEE Transactions on Parallel and Distributed Systems
Mapping and visualizing the internet
ATEC '00 Proceedings of the annual conference on USENIX Annual Technical Conference
| Hi-index | 0.00 |
This paper develops the concept of victim-assistance for denial of service (DoS) mitigation. The proposed concept is utilized within a simple, yet effective scheme designed for mitigating TCP-based reflector DoS attacks. The proposed scheme, called SYN number based filtering (SNF), takes into account the TCP's connection establishment behavior and the inherent features of the attack itself. The main idea of the SNF scheme is to restrict the choice of the initial sequence numbers of SYN packets to certain pattern, such that corresponding SYN-ACK packets can be validated at the ISP's perimeter. We evaluate the proposed scheme through analytical studies for classical and advanced attacks using two performance metrics, namely, the false positive and false negative rates. Our analysis shows that the proposed scheme offers low false positive and false negative rates. In addition, we identify several research problems based on the proposed concept.