Pi: A Path Identification Mechanism to Defend against DDoS Attacks

  • Authors:
  • Abraham Yaar;Adrian Perrig;Dawn Song

  • Affiliations:
  • -;-;-

  • Venue:
  • SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
  • Year:
  • 2003

Quantified Score

Hi-index 0.00

Visualization

Abstract

Distributed Denial of Service (DDoS) attacks continueto plague the Internet. Defense against these attacksis complicated by spoofed source IP addresses,which make it difficult to determine a packet's true origin.We propose Pi (short for Path Identifier), a newpacket marking approach in which a path fingerprint isembedded in each packet, enabling a victim to identifypackets traversing the same paths through the Interneton a per packet basis, regardless of source IP addressspoofing.Pi features many unique properties. It is a per-packetdeterministic mechanism: each packet traveling alongthe same path carries the same identifier. This allowsthe victim to take a proactive role in defending againsta DDoS attack by using the Pi mark to filter out packetsmatching the attackers' identifiers on a per packet basis.The Pi scheme performs well under large-scale DDoSattacks consisting of thousands of attackers, and is effectiveeven when only half the routers in the Internetparticipate in packet marking. Pi marking and filteringare both extremely light-weight and require negligiblestate.We use traceroute maps of real Internet topologies(e.g. CAIDA's Skitter [5] and Burch and Cheswick's InternetMap [3, 14]) to simulate DDoS attacks and validateour design.