Eagle Eyes: Protocol Independent Packet Marking Scheme to Filter Attack Packets and Reduce Collateral Damage During Flooding Based DoS and DDoS Attacks

Defences against Denial and Distributed Denial of Service (DDoS) attacks commonly responds to flooding by dropping excess traffic. Such rate limiting schemes drop all excess-traffic when the request arrival rate goes above a certain empirically calculated threshold. Flooding based DoS/DDoS attacks like TCP SYN Attack does not exhibit any special signature except that their arrival-rate is high enough to overwhelm the victim. Hence it is very difficult to differentiate between legitimate and attack traffic as they share the same signature. As a result, rate limiting schemes cause heavy collateral damage by dropping out legitimate traffic [15]. In this paper we propose a novel packet marking mechanism which not only mitigates DoS/DDoS attacks by filtering but also reduces collateral damage significantly by selectively dropping attack packets based on its packet mark while allowing the legitimate traffic to be processed smoothly. Our packet mark contains fingerprint of the path in each single packet which allows us in identifying attack packets coming from various sources even in case of IP spoofing. Our scheme does not require any protocol specific knowledge and can generically filter out attack packets for all kinds of flooding attacks. We have extensively evaluated our packet marking scheme. Results show effectiveness of our scheme in filtering attack traffic. Our scheme inflicts extremely low collateral damage to legitimate traffic while quickly detecting and selectively filtering attack traffic.