A SECURITY FRAMEWORK BASED ON FLOW MARKING IP-TRACEBACK TECHNIQUES

Abstract

Distributed-Denial-Of-Service (DDoS) attacks are one of the more challenging security issues on the Internet today. They can easily exhaust the resources of the potential victims. The problem is even more exacerbated since the attackers often forge their IP addresses to hide their identity. The existing defence mechanisms against DDoS attacks usually filter the attack traffic at the victim's side. In this case, even if the attacking traffic can be filtered by the victim, the attacker may reach the goal of blocking access to the victim by consuming the victim's computing resources or bandwidth. To address this issue, a modular security framework is proposed which consists of three main components: Detection, Traceback and Traffic Control. These three components can work independently as standalone systems, as well as collectively, bound by the proposed framework which aims to facilitate the replacement or addition of security modules without affecting the operation of the system as a whole. The Detection component aims to detect unusual changes of the incoming traffic to identify DDoS attacks. For the Traceback component five different approaches to IP-Traceback are proposed: Deterministic Flow Marking (DFM), Probabilistic Flow Marking (PFM), Unique Flow Marking (UFM), Deterministic Flow Marking for IPv6 Traceback (DFM6) and Autonomous System-based Flow Marking (ASFM). This component enables the identification of the origin of the traffic traversing through the Internet on a per flow basis, regardless of source IP address spoofing. The above five IP-Traceback approaches are designed for different network environments with varying network requirements. They all embed a fingerprint in the packets, but each one of them has some specific features and performances that make them suitable for various situations. For the traffic control component, Traceback-based Defence against DDoS Flooding Attacks (TDFA) is proposed. TDFA aims to place the packet filtering as close to the attack source as possible. In doing so, the traffic control component employs the IP-Traceback component to locate the origin of the attack and then sets up a limit on the packet forwarding rate to the victim. TDFA effectively reduces attack forwarding rate and improves the throughput of the legitimate traffic.