To counter DDoS attacks, one of the most straightforward methods is to filter out malicious traffic flows. Packet filtering is usually accomplished at routers based on clearly-defined attack signatures, such as obviously wrong source addresses. However, DDoS attack traffic cannot be filtered out if it uses packets that request legitimate services [54]. Another common drawback of packet filtering is that it usually needs to be deployed widely in order to protect the victim.
Ingress filtering was initially proposed in RFC2267 [80], which has been replaced by a newer version RFC2827 [56]. Ingress filtering enables a router to check a packet for its source address, and drop packets which carry invalid addresses. To distinguish between valid and invalid addresses, the best place to deploy it is at edge routers where address ownership is relatively simple and clear. If ingress filtering is widely deployed, spoofed IP address DDoS attack traffic has fewer opportunities to enter into the Internet. However, it cannot work if an attacker spoofs a IP address which is valid in the local internal network. In addition, it does not help the victim to defend against attacks which are not using spoofed IP addresses.
Y.-H. Hu et al. propose a time-window-based packet filtering mechanism in [50]. It works before the regular queue management operation in a router. Based on a sliding time-window size of which is dynamically changed, it identifies and drops malicious and aggressively increasing attack flows. However, collateral damage for
CHAPTER 3. RELATED WORK 26
legitimate traffic is unavoidable because it does not distinguish between attack and legitimate packets.
T. Peng et al. propose a history-based IP filtering mechanism to stop attack packets from entering into the Internet at edge routers [33]. After analyzing normal IP traffic, they find that most IP addresses in legitimate packets arriving at a server reappear regularly. Edge routers save all IP addresses which have been proved to be legitimate in its previous connection history. Then, when the victim is suffering from a high level of congestion, routers will drop packets which do not exist in the database. A drawback of the mechanism is that it cannot work if an attacker uses the addresses which are stored in the database.
Hop-Count filtering is a mechanism proposed by C. Jin et al. to counter spoofed IP address DDoS attacks [24]. After analyzing attack tools used at the time, they found that all tools do not change the TTL field in the IP header. Therefore, the hop number can be inferred from the TTL field. This mechanism classifies the packets based on address prefixes and builds an accurate IP to hop-count mapping table. Then, when the network experiences a high level of congestion, the mechanism will drop those packets whose hop number does not match the mapping table. An obvious drawback of the mechanism is that it can be tricked if an attacker spoofs the initial value of the TTL field, and spoofing the TTL field is not more difficult than spoofing other fields in the IP header. Another drawback is still collateral damage for legitimate traffic. Under a high level of congestion, congestion control mechanisms will often reroute legitimate packets, which may change their hop numbers. Then, they will be dropped because they no longer match the mapping table.
CHAPTER 3. RELATED WORK 27
DDoS attack by analyzing the entropy and calculating the chi-square statistic of IP attributes. The mechanism divides source addresses into a few bins based on their frequency. During detection, the chi-square statistic detection component finds out source addresses which belong to bins in which distributions of frequencies are anomalous. Then, a number of static filtering rules will be set up to filter out packets from these bins. An obvious drawback of the mechanism is that it does not provide good performance on attacks with no spoofed packets. For this kind of attacks, the frequency of source address variation is small and not easily detectable. In addition, one bin of source addresses may include a number of legitimate addresses, and the static filtering rules will harm them too.
S. Tanachaiwiwat et al. propose an adaptive packet filtering mechanism [47] to defend against DDoS attacks by providing differential QoS for attack and legitimate traffic. The mechanism requires the routers to store a packet before forwarding it. In routers, the mechanism increases the IP counter by one and resets the time to the maximum value in the active IP table based on the address in the packet. The routers decide QoS for this packet based on the current IP counter value. Usually, legitimate packets get higher IP counter values because legitimate addresses often appear regu- larly. In contrast, a large number of spoofed IP addresses will turn up when attacks happen. Of course, their IP counter values will be very low. The mechanism does not distinguish between legitimate and attack packets. It just attempts to sustain high QoS for legitimate traffic. However, it cannot protect a new legitimate connection during an attack because their IP counter values are low too. Furthermore, it can be tricked to forward attack traffic with high QoS when an attacker uses IP addresses which have high IP counter values. In this situation, the router will help attack traffic
CHAPTER 3. RELATED WORK 28
reach the victim because this particular attack traffic will receive high QoS.