Honeypot back-propagation for mitigating spoofing distributed Denial-of-Service attacks

Authors:
Sherif Khattab;Rami Melhem;Daniel Mossé;Taieb Znati
Affiliations:
Department of Computer Science, University of Pittsburgh, PA;Department of Computer Science, University of Pittsburgh, PA;Department of Computer Science, University of Pittsburgh, PA;Department of Computer Science, University of Pittsburgh, PA and Department of Information Science and Telecommunications, University of Pittsburgh, PA
Venue:
Journal of Parallel and Distributed Computing - Special issue: Security in grid and distributed systems
Year:
2006

Citing 21
Cited 2

Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
An algebraic approach to IP traceback

ACM Transactions on Information and System Security (TISSEC)
Controlling high bandwidth aggregates in the network

ACM SIGCOMM Computer Communication Review
Single-packet IP traceback

IEEE/ACM Transactions on Networking (TON)
SOS: secure overlay services

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Honeypots for Distributed Denial of Service Attacks

WETICE '02 Proceedings of the 11th IEEE International Workshops on Enabling Technologies: nfrastructure for Collaborative Enterprises
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
A Simulation Study of the Proactive Server Roaming for Mitigating Denial of Service Attacks

ANSS '03 Proceedings of the 36th annual symposium on Simulation
An implementation of a hierarchical IP traceback architecture

SAINT-W '03 Proceedings of the 2003 Symposium on Applications and the Internet Workshops (SAINT'03 Workshops)
Migratory TCP: Connection Migration for Service Continuity in the Internet

ICDCS '02 Proceedings of the 22 nd International Conference on Distributed Computing Systems (ICDCS'02)
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
The case for TCP/IP puzzles

FDNA '03 Proceedings of the ACM SIGCOMM workshop on Future directions in network architecture
Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks

ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
A taxonomy of DDoS attack and DDoS defense mechanisms

ACM SIGCOMM Computer Communication Review
Mohonk: mobile honeypots to trace unwanted traffic early

Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality
Mitigating bandwidth-exhaustion attacks using congestion puzzles

Proceedings of the 11th ACM conference on Computer and communications security
Tracing Anonymous Packets to Their Approximate Source

LISA '00 Proceedings of the 14th USENIX conference on System administration
Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

IPDPS '05 Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Workshop 17 - Volume 18
Centertrack: an IP overlay network for tracking DoS floods

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Honeypot back-propagation for mitigating spoofing distributed denial-of-service attacks

IPDPS'06 Proceedings of the 20th international conference on Parallel and distributed processing

Mitigating distributed denial-of-service attacks using network connection control charts

Proceedings of the 2nd international conference on Scalable information systems
Detection of blackhole attack in a Wireless Mesh Network using intelligent honeypot agents

The Journal of Supercomputing

Quantified Score

Hi-index	0.00

Visualization

Abstract

The Denial-of-Service (DoS) attack is a challenging problem in the current Internet. Many schemes have been proposed to trace spoofed (forged) attack packets back to their sources. Among them, hop-by-hop schemes are less vulnerable to router compromise than packet marking schemes, but they require accurate attack signatures, high storage or bandwidth overhead, and cooperation of many ISPs. In this paper, we propose honeypot back-propagation, an efficient hop-by-hop traceback mechanism, in which accurate attack signatures are obtained by a novel leverage of the roaming honeypots scheme. The reception of attack packets by a roaming honeypot (a decoy machine camouflaged within a server pool) triggers the activation of a tree of honeypot sessions rooted at the honeypot under attack toward attack sources. The tree is formed hierarchically, first at Autonomous system (AS) level and then at router level. Honeypot back-propagation supports incremental deployment by providing incentives for ISPs even with partial deployment. Against low-rate attackers, most traceback schemes would take a long time to collect the needed number of packets. To address this problem, we also propose progressive back-propagation to handle low-rate attacks, such as on-off attacks with short bursts. Analytical and simulation results demonstrate the effectiveness of the proposed schemes under a variety of DDoS attack scenarios.