A Novel Technique for Defending Against Internet DDoS Attacks

� Problem

� Aim

� Model

� Enhanced Probabilistic Marking (EPM)

� Attack Mitigation Decision (AMD)

� Preferential Packet Filtering (PPF)

� Evaluation Results

� Lack of proper defense mechanisms against

DDOS

� Detecting the origin

◦ IP spoofing

◦ Ingress Filtering

◦ IP Traceback Mechanisms

� Mitigate the affects of DDOS in the course of

events

� Smart filtering DDOS traffic while allowing

legitimate traffic

� Detecting “infected” paths, i.e. inferring

whether or not a network edge is on the path

from an attacker.

Proposed system has 3 modules:

1. Enhanced Probabilistic Marking (EPM)

Module

Attack Mitigation Decision-making (AMD) 2. Attack Mitigation Decision-making (AMD)

Module

3. Preferential Packet Filtering (PPF) Module

� Uses Advanced Marking Scheme (AMS)

� Faster reconstruction

� Higher accuracy

� Needs map of upstream routers

� Determines whether an attacker has an edge

on its path

� Marks are classified into three types:

I. Signaling marks

II. Data marks of a clean edge

Data marks of an infected edge or III. Data marks of an infected edge or

unmarked

Task 1 :� Reconstruct the attack graph based on

signaling marks� Measure incoming traffic rates

(Rsignaling, Rclean, Runsure)(Rsignaling, Rclean, Runsure)

Task 2:� Adjust filtering parameters using

information from Task 1� Each mark type has a probability of passing

(Asignaling, Aclean, Aunsure)

� Probability of passing for each packet type is recomputed periodically

� Performance Metrics

I. GDR(Good Drop Ratio): the percentage of the

legitimate traffic dropped

II. BDR(Bad Drop Patio): the percentage of the II. BDR(Bad Drop Patio): the percentage of the

DDoS traffic dropped

III. GTP(Good Traffic Percentage): the percentage

of the traffic arriving at the victim being

legitimate