Distributed Denial of Service (DDoS) attacks are a serious threat to the Internet [1]. An attacker compromises several hosts, called agents, to flood packets to the same destination site, named the victim, and the traffic aggregates at the victim. The enormous volume of traffic causes the congestion and the packet loss. Resources are consumed by the attack traffic so that they are unavailable for legitimate clients. The quality of the site will decrease and it seems to be isolated.
Attackers usually spoof source addresses of packets to launch DDoS attacks. There are two purposes for spoofing. The one purpose is to conceal origins of attacks so that the victim cannot trace back to sources of attacks. Another purpose is that the victim filters packets hard because it is difficult to distinguish spoofed packets from valid packets. The challenge is due to the aggregation of the large number of traffic and the routing according to destination addresses. The victim cannot verify whether the source address carried by the packet is valid or not. Hence, it is incentive for attackers to forge source addresses. Additionally, they use addresses out of the self-network to forge packets because it is easily detected and filtered to use addresses belong to the self-network. It is notice that the spoofed packets mentioned in the thesis are packets, of which source addresses do not reside within the self-network.
However, all spoofed packets are not malicious. For instance in mobile IP, the host has one care-of address when it roams to the foreign network. The home agent uses the care-of address to forward packets to the host. The home agent will build the tunnel between himself and the foreign agent or the host and then send packets to the host through it. However, the host still uses its home address to send packets. Although the mechanism, reverse tunneling, can solve the problem, it is optional so that it is not guaranteed that all networks support the mechanism. Therefore, the traffic sent by the host should protect from being filtered as long as the traffic is not the attack.
1.1 Requirements
Some requirements for the defense scheme against DDoS attacks show as follows.
Accuracy. The false alarm of the defense scheme should be low. If the normal traffic
often is mistaken for the attack traffic, there is damage to the normal traffic and there is the unnecessary overhead, such as the process of the prevention. If the attack traffic is frequently undetected, there is any interest in adopting the approach.
Congestion avoidance. The defense approach should avoid the occurrence of the
congestion, which causes the decrease of performance of the Internet. The approach should effectively prevent shared resources from the exhaustion of attacks so that the server can provide services to legitimate clients.
Small damage. The defense scheme usually rate-limits or blocks all attack traffic to the
victim for the purpose of the mitigation of attacks. As a result, there is collateral damage to valid clients so that attackers reach their goal. Therefore, the scheme should reduce the level of damage to legitimate traffic when it responds to attacks.
Deployment cost. The system should have the low deployment cost. The deployment
cost includes the number of cooperative nodes, essential hardware requirements, the degree of modification of the Internet, and so on. The cost is one factor determining whether the system is practical or not.
1.2 Defense approaches
Many researchers proposed approaches against DDoS attacks in the recent years. These approaches are categorized to three distinct approaches: the victim-end approach, the intermediate approach and the source-end approach. This classification is based on the location at where the approach defends attacks. The victim network is the network in where the attacked server is. The source network indicates the network in where the host that initials one communication with another host is. There are usually many source networks from where
the attack origins during the DDoS attack. The intermediate network is the network, which core routers construct. In Figure 3-1, SN1 and SN2 are source networks, VN1 is the victim network and CN1 is the intermediate network. Advantages and drawbacks of approaches deployed at different positions are described as follows.
The victim-end approach is to defend DDoS attacks at the victim-end network. It facilitates the easy detection and the high accuracy of the detection. Because all attack traffic aggregates to the victim, the approach can observe the full view of the attack so that any abnormal behavior is detected. Due to the property of the heavy aggregation, the large number of attack traffic enables the approach hard to distinguish valid packets from spoofed packets.
As a result, it is very difficult to filter the traffic. Once all traffic is filtered, the attack is successful, in other words, requests of legitimate clients also are blocked.
The intermediate approach is usually deployed at core routers and detects the abnormal traffic though core routers. The accuracy of detection is lower than the victim-end approach because the phenomenon, the aggregated attack traffic and the consumption of resources, does not appear at a core router. Due to the approach needs the support of core routers, the complex coordination among different routers and networks is another disadvantage for this approach.
However, the approach can effectively constrain the large volume of traffic.
The source-end approach is to detect the anomalous behavior at the source router. The prevention is the most effective because the attack traffic is blocked before it penetrates into the Internet. It can protect shared resources from the exhaustion of attacks. Compared with the whole attack traffic, a few volume of traffic passes through the source router so that the detection is difficult. However, it can differentiate the valid traffic from the attack traffic since the volume of attack is slight.
In this thesis, we proposed the defense scheme against spoofed packets at source network.
The attack is stopped as close to the source as possible in order to reduce the consumption of shared resources. After different approaches are deployed extensively, the prevention of the
source-end approach is the most effective. We focused on observing the behavior of spoofed packets because the spoofed traffic makes the filtering and the traceback extremely difficult at the victim. As for the unspoofed attack traffic, it can be detected and filtered easily at the victim. Besides, we analyze the packet loss rate experienced by the server to determine whether the server incurs the DDoS attack or not.
1.3 Contribution
In this thesis, the proposed scheme detects spoofed DDoS attacks by analyzing the packet loss rate at the source network. The scheme classifies the traffic and applies different policies to distinct types of traffic. It allows the non-attack spoofed traffic to enter the Internet so that some types of services, such as Mobile IP, can operate normally.
The design of the detection scheme bases on three characteristics of spoofed DDoS attacks. First, an attacker sends the enormous volume of traffic to the victim. Second, the attacker forges source addresses of packets in order to conceal sources of attacks and to filter hard at the victim. Third, the attack causes the high packet loss rate over attack paths and at the victim. The detection scheme obtains the packet loss rate of the destination without the support of core routers so that the cost of deployment is lower. The prevention scheme blocks or limits the bandwidth of the attack traffic according to its behavior.
1.4 Synopsis
This thesis is organized as follows. The related work about DDoS defense systems against DDoS attacks and approaches to defend spoofed packets are presented in Chapter 2. In Chapter 3, the proposed scheme is studied and properties are discussed. Then, some evaluations of the effect of the proposed scheme are showed in Chapter 4. Finally, the thesis concludes with Chapter 5 and future work is presented.