Learning the valid incoming direction of IP packets
Computer Networks: The International Journal of Computer and Telecommunications Networking
Passport: secure and adoptable source authentication
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
On the state of IP spoofing defense
ACM Transactions on Internet Technology (TOIT)
Understanding the efficacy of deployed internet source address validation filtering
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Unified defense against DDoS attacks
NETWORKING'07 Proceedings of the 6th international IFIP-TC6 conference on Ad Hoc and sensor networks, wireless networks, next generation internet
Design and analysis of a hierarchical IP traceback system
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
A novel DDOS attack defending framework with minimized bilateral damages
CCNC'10 Proceedings of the 7th IEEE conference on Consumer communications and networking conference
DMIPS: defensive mechanism against IP spoofing
ACISP'11 Proceedings of the 16th Australasian conference on Information security and privacy
Verifying and enforcing network paths with icing
Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies
Enable a trustworthy network by source address spoofing prevention routers: a formal description
EUC'06 Proceedings of the 2006 international conference on Emerging Directions in Embedded and Ubiquitous Computing
On building inexpensive network capabilities
ACM SIGCOMM Computer Communication Review
Collaborative scheme for VoIP traceback
Digital Investigation: The International Journal of Digital Forensics & Incident Response
An incrementally deployable path address scheme
Journal of Parallel and Distributed Computing
| Hi-index | 0.07 |
Today's Internet hosts are threatened by large-scale distributed denial-of-service (DDoS) attacks. The path identification (Pi) DDoS defense scheme has recently been proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received (Yaar , 2003). In this paper, we propose the StackPi marking, a new packet marking scheme based on Pi, and new filtering mechanisms. The StackPi marking scheme consists of two new marking methods that substantially improve Pi's incremental deployment performance: Stack-based marking and write-ahead marking. Our scheme almost completely eliminates the effect of a few legacy routers on a path, and performs 2-4 times better than the original Pi scheme in a sparse deployment of Pi-enabled routers. For the filtering mechanism, we derive an optimal threshold strategy for filtering with the Pi marking. We also develop a new filter, the PiIP filter, which can be used to detect Internet protocol (IP) spoofing attacks with just a single attack packet. Finally, we discuss in detail StackPi's compatibility with IP fragmentation, applicability in an IPv6 environment, and several other important issues relating to potential deployment of StackPi