A Defense Framework against DDoS in a Multipath Network Environment

DOI: 10.4236/cn.2015.72010   PDF   HTML   XML   4,220 Downloads   5,016 Views   Citations


The Internet is facing a major threat, consisting of a disruption to services caused by distributed denial-of-service (DDoS) attacks. This kind of attacks continues to evolve over the past two decades and they are well known to significantly affect companies and businesses. DDoS is a popular choice among attackers community. Such attack can easily exhaust the computing and communication resources of its victim within a short period of time. Many approaches to countering DDoS attacks have been proposed, but few have addressed the use of multipath. In this paper, we analyze, how multipath routing based solutions could be used to address the DDoS problem. The proposed framework traces back the attack to its source and blocks it. It also calculates multiple paths to the attacker (if they exist) and alerts all gateways near the attacker to block possible traffic originating from this source in case another path(s) is (are) later used to attack the victim again. We demonstrate that our scheme performs better that other single path schemes.

Share and Cite:

Mahlous, A. (2015) A Defense Framework against DDoS in a Multipath Network Environment. Communications and Network, 7, 106-116. doi: 10.4236/cn.2015.72010.

Conflicts of Interest

The authors declare no conflicts of interest.


[1] Chonka, A., Xiang, Y., Zhou, W.L. and Bonti, A. (2010) Cloud Security Defense to Protect Cloud Computing against HTTP-DoS and XML-DoS Attacks. Journal of Network and Computer Applications, 34, 1097-1107.
[2] Arunmozhi1, S.A. and Venkataramani, Y. (2011) DDos Attack and Defense Scheme in Wireless Ad Hoc Networks. International Journal of Network Security & Its Applications (IJNSA), 3, 182-187.
[3] Argyraki, K. and Cheriton, D.R. (2010) Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks. USENIX Annual Technical Conference, Berkeley, CA, 10-10.
[4] Yaar, A., Perrig, A. and Song, D. (2003) Pi: A Path Identification Mechanism to Defend against DDoS Attacks. Proceedings IEEE Symposium on Security and Privacy Symposium, 11-14 May 2003, 93-107.
[5] Savage, S., Wetherall, D., Karlin, A. and Anderson, T. (2000) Practical Network Support for IP Traceback. ACM SIGCOMM Computer Communication Review, 30, 295-306.
[6] Ferguson, P. and Senie, D. (1998) Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. IETF, Request For Comments 2267, United States.
[7] Wang, H., Zhang, D. and Shin, K.G. (2002) SYN-Dog: Sniffing SYN Flooding Sources. Proceedings of the 22nd International Conference on Distributed Computing Systems, 421-428.
[8] Park, K. and Lee, H. (2001) On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. Proceedings of the 2001 SIGCOMM Conference, 31, 15-26. http://dx.doi.org/10.1145/383059.383061
[9] Sung, M. and Xu, J. (2003) IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDos Attacks. IEEE Transactions on Parallel and Distributed Systems, 14, 861-872. http://dx.doi.org/10.1109/TPDS.2003.1233709
[10] Mahajan, R., Bellovin, S.M., Floyd, S., Ioannidis, J., Paxson, V. and Shenke, S. (2002) Controlling High Bandwidth Aggregates in the Network. ACM SIGCOMM Computer Communication Review, 32, 62-73.
[11] Bernstein, D.J. (1997) SYN Cookies. http://cr.yp.to/syncookies.html
[12] Xu, J. and Lee, W. (2003) Sustaining Availability of Web Services under Distributed Denial of Service Attacks. IEEE Transactions on Computers, 52, 195-208. http://dx.doi.org/10.1109/TC.2003.1176986
[13] Juel, A. and Brainard, J. (1999) Client Puzzles: A Cryptographic Countermeasure against Connection Depletion Attacks. Proceedings of the Network and Distributed System Security Symposium, NDSS’99, San Diego, February 1999.
[14] Aura, T., Nikander, P. and Leiwo, J. (2000) Dos-Resistant Authentication with Client Puzzles. Cambridge Security Protocols Workshop 2000. Lecture Notes in Computer Science. Springer, Berlin, 200.
[15] Dean, D. and Stubblefield, A. (2001) Using Client Puzzles to Protect TLS. Proceedings of the Tenth USENIX Security Symposium, Washington DC.
[16] Wang, X. and Reiter, M.K. (2003) Defending against Denial-of-Service Attacks with Puzzle Auctions. IEEE Symposium on Security and Privacy, Los Alamitos, 11-14 May 2003, 78-92.
[17] Chen, S.G., Tang, Y. and Du, W.L. (2007) Stateful DDos Attacks and Targeted Filtering. Journal of Network and Computer Applications, 30, 823-840. http://dx.doi.org/10.1016/j.jnca.2005.07.007
[18] Vissers, T., Somasundaram, T.S., Pieters, L., Govindarajan, K. and Hellinckx, P. (2014) DDos Defense System for Web Services in a Cloud Environment. Future Generation Computer Systems, 37, 37-45.
[19] Geva, M., Herzberg, A. and Gev, Y. (2013) Bandwidth Distributed Denial of Service: Attacks and Defenses. IEEE Security & Privacy, 12, 54-61. http://dx.doi.org/10.1109/MSP.2013.55
[20] Foroushani, V.A. and Zincir-Heywood, A.N. (2013) Deterministic and Authenticated Flow Marking for IP Traceback. IEEE 27th International Conference on Advanced Information Networking and Applications (AINA), Barcelona, 25-28 March 2013, 397-404.
[21] Sivabalan, S. and Radcliffe, P.J. (2013) A Novel Framework to Detect and Block DDos Attack at the Application Layer. IEEE TENCON Spring Conference, Sydney, 17-19 April 2013, 578-582.
[22] Sowkarthiga, P. and Suguna, N. (2013) Finding the DDoS Attacks in the Network Using Distance Based Routing. International Conference on Current Trends in Engineering and Technology (ICCTET), ICCTET’13, Coimbatore, 3 July 2013, 410-412.
[23] Tao, Y. and Yu, S. (2013) DDoS Attack Detection at Local Area Networks Using Information Theoretical Metrics. TRUSTCOM’13, Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Melbourne, 16-18 July 2013, 233-240. http://dx.doi.org/10.1109/TrustCom.2013.32
[24] Anderson, T., Roscoe, T. and Wetherall, D. (2003) Preventing Internet Denial-of-Service with Capabilities. Newsletter ACM SIGCOMM Computer Communication Review, 34, 39-44
[25] Ioannidis, J. and Bellovin, S.M. (2002) Implementing Pushback: Router-Based Defense against DDos Attacks. Proceedings of the Network and Distributed System Security Symposium, San Diego, ISOC, Reston, VA.
[26] Mahlous, R., Chaourar, B. and Fretwell, R.J. (2008) A Comparative Study Between Max Flow Multipath, Multi Shortest Paths And Single Shortest Path. In: Proceedings of PGNet 2008, PGNet, Liverpool.
[27] Walfish, M., Vutukuru, H., Karger, D. and Shenker, S. (2010) DDos Defense by Offense. Journal of ACM Transactions on Computer Systems (TOCS), 28.
[28] Lokanath, S. and Thayur, A. (2013) Implementation of AODV Protocol and Detection of Malicious Nodes in Manets. International Journal of Science and Research (IJSR), 2.
[29] Yaar, A., Perrig, A. and Song, D. (2004) SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In Proceedings IEEE Symposium on Security and Privacy Symposium, 9-12 May 2004, 130-143.
[30] Osipov, E., Kassler, A., Bohnert, T.M. and Masip-Bruin, X. (2010) Wired/Wireless Internet Comm-unications. 8th International Conference on Wired/Wireless Internet Communications (WWIC), Luleå, 1-10 June 2010.
[31] Lee, W. and Xu, J. (2003) Sustaining Availability of Web Services under Distributed Denial of Service Attacks. IEEE Transactions on Computers, 52, 195-208.
[32] Beitollahi, H. and Deconinck, G. (2011) A Cooperative Mechanism to Defense against Distributed Denial of Service Attacks. IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Changsha, 16-18 November 2011, 11-20.

comments powered by Disqus

Copyright © 2020 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.