Abstract
This paper describes a novel DDoS traceback scheme. It aims at the disadvantages of the current schemes, which can not traceback the large-scale DDoS attack with the increasing false positive rate, or which can not traceback the DDoS attack fast from the large number of packets required for reconstruc- tion, or which can not apply in the high-speed Internet because of the high overhead of network and router etc. The proposed scheme maps k hash digests of the router's IP into an m-bit Bloom Filter array. Then the m-bit Bloom Filter array is proba- bilistically written into the IP header of the passing packet or deterministically accumulated with the marking information in the IP header of the marked packet. If the Bloom Filter array in the marking information is full, the marking information is probabilistically written into another packet with the same source address and same destination address. This scheme has several advantages - low false positive rate; fewer packets to re- construct the attack path; and low computation overhead and storage overhead at the router. It implements the local traceback fast under large-scale DDOS attack in high-speed Internet. passing through the router. It heavily reduces the number of packets required for reconstruction, but the packet is determi- nistically marked at the router. This will lead to that the mark- ing overhead at the router is high and make the scheme unable to apply in the high-speed Internet. The use of option field may lead to the marked packet fragmented, which will increase the network communication overhead and impact on the attack path reconstruction. Takurou (2) adopts high spatial efficiency data structure - Bloom Filter to store all routers' information in one path using less space in the IP header. The router determi- nistically maps the k hash digests of the router's IP address into an m-bit Bloom Filter array and writes the m-bit array into the IP header. At the next router, the same method is adopted. The k hash digests of the router's IP address are mapped into an m- bit Bloom Filter array, then the m-bit array will be accumulated with the m-bit marking information in the IP header and the accumulation is rewritten into the IP header of the same packet. This scheme can trace a single packet with fewer marking field. However, some routers have the same set of digest values due to irreversible data compression by hashing, or some routers even do not have the same one but there are many false posi- tives arisen from the accumulation of Bloom Filter array, which makes it unable to scale to large-scale DDoS attack. To the shortcomings, an improved novel packet marking scheme based on the space-code Bloom Filter is proposed for DDoS traceback. The k hash digests of the router's IP address are mapped to the m-bit Bloom Filter, and then they are probabilis- tically written into the IP header of the passing packet. At the next router, k hash digests of the router's IP address are accu- mulated with the marking information in the IP header of the marked packet. If the Bloom Filter array in the IP header is full, then the marking information is stored into the IP header of another packet with the same source address and destination address, which means, if the Bloom Filter array is full, then the Bloom Filter array is paged to store. So, the false positives are heavily reduced. Furthermore, it requires fewer packets for path reconstruction, and lower down the overhead of network and router. Thus it can traceback the large-scale DDoS attack fast in the high-speed Internet.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call