DocumentCode
3452453
Title
Pi: a path identification mechanism to defend against DDoS attacks
Author
Yaar, Abraham ; Perrig, Adrian ; Song, Dawn
Author_Institution
Carnegie Mellon Univ., Pittsburgh, PA, USA
fYear
2003
fDate
11-14 May 2003
Firstpage
93
Lastpage
107
Abstract
Distributed denial of service (DDoS) attacks continue to plague the Internet. Defense against these attacks is complicated by spoofed source IP addresses, which make it difficult to determine a packet´s true origin. We propose Pi (short for path identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing. Pi features many unique properties. It is a per-packet deterministic mechanism: each packet traveling along the same path carries the same identifier This allows the victim to take a proactive role in defending against a DDoS attack by using the Pi mark to filter out packets matching the attackers´ identifiers on a per packet basis. The Pi scheme performs well under large-scale DDoS attacks consisting of thousands of attackers, and is effective even when only half the routers in the Internet participate in packet marking. Pi marking and filtering are both extremely lightweight and require negligible state. We use traceroute maps of real Internet topologies (e.g. CAIDA´s Skitter (2000) and Burch and Cheswick´s Internet Map (1999, 2002)) to simulate DDoS attacks and validate our design.
Keywords
Internet; authorisation; computer network management; invasive software; network operating systems; CAIDA Skitter; DDoS attacks; Distributed denial of service; Internet Map; Internet topologies; Pi; operating systems; packet marking; path fingerprint embedding; path identification mechanism; per-packet deterministic mechanism; spoofed source IP addresses; traceroute maps; Computer crime; Fingerprint recognition; Information filtering; Information filters; Internet telephony; Large-scale systems; Matched filters; Topology; Web and internet services; Web server;
fLanguage
English
Publisher
ieee
Conference_Titel
Security and Privacy, 2003. Proceedings. 2003 Symposium on
ISSN
1081-6011
Print_ISBN
0-7695-1940-7
Type
conf
DOI
10.1109/SECPRI.2003.1199330
Filename
1199330
Link To Document