SYN-dog: sniffing SYN flooding sources
Tóm tắt
Presents a simple and robust mechanism called SYN-dog to sniff SYN flooding sources. We install SYN-dog as a software agent at leaf routers that connect stub networks to the Internet. The statelessness and low computation overhead of SYN-dog make itself immune to any flooding attacks. The core mechanism of SYN-dog is based on the protocol behavior of TCP SYN-SYN/ACK pairs, and is an instance of the sequential change detection. To make SYN-dog insensitive to site and access pattern, a non-parametric cumulative sum (CUSUM) method is applied, thus making SYN-dog much more generally applicable and its deployment much easier. Due to its proximity to the flooding sources, SYN-dog can trace the flooding sources without resorting to expensive IP traceback.
Từ khóa
#Floods #Computer crime #Robustness #Laboratories #Software agents #IP networks #Access protocols #Availability #TCPIP #InternetTài liệu tham khảo
zhang, 2000, A Multi-layer IPsec Protocol, Proceedings of 9th USENIX Security Symposium
wu, 2001, Intention-driven ICMP traceback, Internet Draft draft-wu-itrace-intention-00 txt
wang, 2001, Layer-4 Service Differentiation and Isolation, Technical Report University of Michigan
10.1109/65.642356
feldmann, 1998, Characteristics of TCP Connection Arrivals, Technical Report ATT
ferguson, 1998, Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing, RFC 2267
10.1109/MC.2000.839316
gribble, 1997, System Design Issues for Internet Middleware Services: Deductions from a Large Client Trace, Proc Usenix Symp Internet Technologies and Systems
gupta, 1999, Packet Classification on Multiple Fields, Proceedings of ACM SIGCOMM'99, 10.1145/316188.316217
lakshman, 1998, High Speed Policy-based Packet Forwarding Using Efficient Multi-dimensional Range Matching, Proceedings of ACM SIGCOMM'98, 10.1145/285237.285283
malan, 2001, Observations and Experiences Tracking Denial-Of-Service Attacks Across a Large Regional ISP, Technical Report Arbor Netorks
mccreary, 2000, Trends in Wide Area IP Traffic Patterns - A View from Ames Internet Exchange, Proc of ITC'2000
moore, 2001, Inferring Internet Denial of Service Activity, Proc USENIX Security Symp 2001
0, Netscreen 100 Firewall Appliance
srinivasan, 1998, Fast and Scalable Layer Four Switching, Proceedings of ACM SIGCOMM'98, 10.1145/285237.285282
10.1007/978-94-015-8163-9
10.1145/383059.383060
bernstein, 0, Linux Kernel SYN Cookies Firewall Proiect
0, Check Point Software Technologies Ltd, SynDefender
stevens, 1994, TCP/IP Illustrated, 1
10.1145/115992.116003
darmohray, 2000, Hot Spares for DoS attacks, login, 25
10.1145/339331.339413
bellovin, 2000, ICMP Traceback Messages, Internet Draft Draft-bellovinitrace-00 txt
dittrich, 0, Distributed Denial of Service (DDoS) Attacks/Tools Page
basseville, 1993, Detection of Abrupt Changes Theory and Application
park, 2001, On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack, Proceedings of IEEE INFOCOM 2001
postel, 1981, Transmission Control Protocol, Request for Comments 793, DDN Network Information Center, SRI International
10.1109/90.392383
10.1109/SECPRI.1997.601338
savage, 2000, Practical Network Support for IP Traceback, Proc ACM SIGCOMM 2000, 10.1145/347057.347560
song, 2001, Advanced and Authenticated Marking Schemes for IP Traceback, Proceedings of IEEE INFOCOM'2001
10.1145/378420.378789