• DocumentCode
    3452453
  • Title

    Pi: a path identification mechanism to defend against DDoS attacks

  • Author

    Yaar, Abraham ; Perrig, Adrian ; Song, Dawn

  • Author_Institution
    Carnegie Mellon Univ., Pittsburgh, PA, USA
  • fYear
    2003
  • fDate
    11-14 May 2003
  • Firstpage
    93
  • Lastpage
    107
  • Abstract
    Distributed denial of service (DDoS) attacks continue to plague the Internet. Defense against these attacks is complicated by spoofed source IP addresses, which make it difficult to determine a packet´s true origin. We propose Pi (short for path identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing. Pi features many unique properties. It is a per-packet deterministic mechanism: each packet traveling along the same path carries the same identifier This allows the victim to take a proactive role in defending against a DDoS attack by using the Pi mark to filter out packets matching the attackers´ identifiers on a per packet basis. The Pi scheme performs well under large-scale DDoS attacks consisting of thousands of attackers, and is effective even when only half the routers in the Internet participate in packet marking. Pi marking and filtering are both extremely lightweight and require negligible state. We use traceroute maps of real Internet topologies (e.g. CAIDA´s Skitter (2000) and Burch and Cheswick´s Internet Map (1999, 2002)) to simulate DDoS attacks and validate our design.
  • Keywords
    Internet; authorisation; computer network management; invasive software; network operating systems; CAIDA Skitter; DDoS attacks; Distributed denial of service; Internet Map; Internet topologies; Pi; operating systems; packet marking; path fingerprint embedding; path identification mechanism; per-packet deterministic mechanism; spoofed source IP addresses; traceroute maps; Computer crime; Fingerprint recognition; Information filtering; Information filters; Internet telephony; Large-scale systems; Matched filters; Topology; Web and internet services; Web server;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Security and Privacy, 2003. Proceedings. 2003 Symposium on
  • ISSN
    1081-6011
  • Print_ISBN
    0-7695-1940-7
  • Type

    conf

  • DOI
    10.1109/SECPRI.2003.1199330
  • Filename
    1199330