Enhanced efficient SYN spoofing detection and mitigation scheme for DDoS attacks
Pages 583 - 600
Abstract
Protection of critical server from cyber attacks is vital, especially in the case of active attacks like distributed denial of service DDoS. Generally, denial of service DoS is an action that prevents or impairs the authorized use of networks, systems or applications by exhausting the resources, such as central processing units CPU, memory, bandwidth and disk space. The job of the security professionals becomes complex, when the attacks are launched from trusted IP addresses, using synchronization SYN spoofing. The work presented in this paper is experimented with efficient spoofed mitigation scheme ESMS which uses the TCP probing method along with the bloom filter trust model. The experiment is carried out in both IPv4 and IPv6 environment in the smart and secure environment SSE real time test bed and the proposed scheme provides accurate and robust information for the detection and controlling of the spoofed packets during the DDoS attacks.
References
[1]
Baker, F. (1995) Requirements for IP Version 4 Routers, RFC 1812.
[2]
Barfar, A., Zolfaghar, K. and Mohammadi, S. (2011) 'A framework for cyber war against international terrorism', International Journal of Internet Technology and Secured Transactions, Vol. 3, No. 1, pp.29-39.
[3]
Bhandari, N.H. (2013) 'DDoS attack prevention in cloud computing using hop count based packet monitoring approach', International Journal of Advanced and Innovative Research (IJAIR), Vol. 2, No. 4, pp.954-956.
[4]
Chen, W. and Yeung, D-Y. (2006) 'Defending against TCP SYN flooding attacks under different types of IP spoofing', International Conference on Systems and International Conference on Mobile Communications and Learning Technologies IEEE Computer Society, Washington, DC, USA.
[5]
Eddy, W. (2007) TCP Flooding Attacks and Common Mitigations, RFC 4987.
[6]
Ehrenkranz, T. and Li, J. (2009) 'On the state of IP spoofing defense', ACM Transactions on Internet Technology (TOIT), Vol. 9, No. 2, pp.6:1-6:29.
[7]
Ferguson, P. and Senie, D. (2000) Network Ingress Filtering Defeating Denial of Service Attacks which employ IP Source Address Spoofing, RFC 2267.
[8]
Haris, S.H.C., Ahmad, R.B., Ghani, M.A.H.A. and Waleed, G.M. (2010) 'packet analysis using packet filtering and traffic monitoring techniques', Proceedings of 2010 International Conference on Computer Applications and Industrial Electronics (ICCAIE 2010), pp.271-275.
[9]
Hong, Y. and Yang, O.W.W. (2006) 'Adaptive AQM controllers for IP routers with a heuristic monitor on TCP flows', International journal of Communication Systems, Vol. 19, No. 1, pp.17-38.
[10]
Hsu, W-H., Shieh, Y-P. and Yeh, S-C. (2011) 'DiffServ-based bandwidth-constrained anycast routing in a mobile IPv6 network', International Journal of Communication Systems, Vol. 24, No. 2, pp.139-152.
[11]
Kavisankar, L and Chellappan, C. (2011) 'CNoA: challenging number approach for uncovering TCP SYN flooding using SYN spoofing attack', International Journal of Network Security & Its Applications (IJNSA), Vol. 3, No. 5, p.191.
[12]
Kompella, R.R., Singh, S. and Varghese, G. (2007) 'On scalable attack detection in the network', International Journal on IEEE/ACM Transaction on Networking, Vol. 15, No. 1, pp.14-25.
[13]
Krishnakumar, B. and Krishna Kumar, P. (2010) 'Hop count based packet processing approach to counter DDoS attacks', International Conference on Recent Trends in Information, Telecommunication and Computing.
[14]
Lemon, J. (2002) 'Resisting SYN flooding DOS attacks with a SYN cache', in Proc. USENIX BSDCon., pp.89-98.
[15]
Ma, M. 'Mitigating denial of service attacks with password puzzles', Information Technology: Coding and Computing, ITCC.
[16]
Maheshwari, R. and Rama Krishna, C. (2013) 'Mitigation of DDoS attacks using probability based distributed hop count filtering and round trip time', International Journal of Engineering Research & Technology (IJERT), Vol. 2, No. 7, pp.1136-1140.
[17]
Mirkovic, J. and Reiher, P. (2004) 'A taxonomy of DDoS attack and DDoS defense mechanisms', ACM SIGCOMM Computer Communication, Vol. 34, No. 2, pp.39-53.
[18]
Mirzaie, S. (2010) 'Preventing of SYN flood attack with iptables firewall', Proceedings of 2010 Second International Conference on Communication Software and Networks, pp.532-535.
[19]
Noureldien, N.A. and Hussein, M.O. (2012) 'Block spoofed packets at source (BSPS): a method for detecting and preventing all types of spoofed source IP packets and SYN flooding packets at source: a theoretical framework', International Journal of Networks and Communications, Vol. 2, No. 3, pp.33-37.
[20]
Radware 4 Massive Myths of DDoS [online] http://blog.radware.com/security/2012/02/4-massive-myths-of-ddos (accessed 2 February 2017).
[21]
Sailan, M.K., Hassan, R. and Patel, A. (2009) 'A comparative review of IPv4 and IPv6 for research test bed', International Conference on Electrical Engineering and Informatics Selangor, Malaysia.
[22]
Santhosh, K.M. and Isaac, E. (2013) 'Defending DDoS attack using stochastic model based puzzle controller', International Journal of Computer Science and Network Security, Vol.13, No.4, pp.100-105.
[23]
Sarier, N.D. (2011) 'A new biometric identity based encryption scheme secure against DoS attacks', Security and Communication Networks, Vol. 4, No. 1, pp.23-32.
[24]
Tang, H-R., Sun, R-L. and Kang, W-Q. (2010) 'Wireless intrusion detection system for defending against TCP SYN flooding attack and man-in-the-middle attack', Proceedings of the Eight International Conference on Machine Learning and Cybernetics, pp.1464-1470.
[25]
Tupakula, U. and Varadharajan, V. (2013) 'Security techniques for counteracting attacks in mobile healthcare services', The 4th International Conference on Emerging Ubiquitous Systems and Pervasive Networks (EUSPN-2013), Procedia Computer Science, Vol. 21, pp.374-381.
[26]
Venkatesan, S., Chellappan C., Vaish, A., Dhavachelvan, P. and Prabhu, C. (2013) 'A collaborative model to mitigate the TCP SYN flood attack in IPv4/IPv6 environment', accepted to publish in International Journal of Information and Computer Security, Inderscience Publishers.
[27]
Wang, H., Jin, C. and Shin, K.G. (2007) 'Defense against spoofed IP traffic using hop-count filtering', IEEE/ACM Transactions on Networking, Vol. 15, No. 1, pp.40-53.
[28]
Yang, X., Ma, T. and Shi, Y. (2007) 'Typical DoS/DDoS threats under IPv6', Proceedings of the International Multi-Conference on Computing in the Global Information Technology, pp.50-55.
[29]
Ye, J., Wang, J-X. and Huang, J-W. (2011) 'A cross-layer TCP for providing fairness in wireless mesh networks', International Journal of Communication Systems, Vol. 24, No. 12, pp.1611-1626.
[30]
Zhou, L., Chen, L., Pung, H.K. and Ngoh, L.H. (2011) 'Identifying QoS violations through statistical end-to-end analysis', International Journal of Communication Systems, Vol. 24, No. 10, pp.1388-1406.
Index Terms
- Enhanced efficient SYN spoofing detection and mitigation scheme for DDoS attacks
Recommendations
Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing
ICNICONSMCL '06: Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning TechnologiesTCP-based flooding attacks are a common form of Distributed Denial-of-Service (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. Incorporating IP spoofing makes it even more di..cult to defend against such ...
An autonomous defense against SYN flooding attacks: Detect and throttle attacks at the victim side independently
Distributed denial of service (DDoS) attacks seriously threaten Internet services yet there is currently no defence against such attacks that provides both early detection, allowing time for counteraction, and an accurate response. Traditional detection ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Publisher
Inderscience Publishers
Geneva 15, Switzerland
Publication History
Published: 01 January 2018
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 25 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in