Defeating distributed denial-of-service attack with deterministic bit marking

Denial-of-Service (DDoS) attack is a serious threat in Internet. We propose a bit marking concept to identify and drop the DDoS attack packets. Bit marking is a variation of the packet marking technique that modifies packet headers at each router. However instead of storing the router information in the packets, bit marking alters one or more bits in the marking field. The bit marking process discussed in this paper is performed to all the packets and at all the routers along the path; hence it is called deterministic bit marking (DBM). DBM creates a common path signature for all the packets originating from the same location upon arriving at a destination. Since different source networks generate virtually unique path signatures, DBM makes it possible to isolate and discard DDoS attack traffic. From the Internet topology of Autonomous Systems we observe that the source networks are quite uniformly distributed over the path signature space. In our simulation over 99% of the attack traffic is blocked using DBM while up to 99% of the legitimate traffic passes. DBM can also be used for source traceback using reverse bit marking. DBM can be independently deployed for each ISP and the DBM-based networks can be protected from the attacks coming from non-DBM networks. 1 INTRODUCTION In Denial-of-Service (DoS) attack, large amount of packets are bombarded to a destination to bring down a victim server or a communication link toward a victim [7]. In Distributed DoS (DDoS) the attack is originated from a large number of attack agents that have been compromised by the attacker. DDoS attack is becoming more threatening with newer type of attacks and attack patterns [16]. Under DDoS packet flooding, it is difficult to identify the attacking packets or to identify the source of the attack since the source IP addresses of the attack packets are usually spoofed. Rate limiting is commonly used to lower the overwhelming bandwidth to the victim. In some rate-limiting schemes, both the attack and legitimate packets towards the victim are simply dropped to keep the communication link toward the victim available [9][12][20][21]. In more recent approaches, the attack packets are distinguished and dropped with higher accuracy [5][10][13][14], but they require rather sophisticated operation or network-wide cooperation. Another area of research focuses on traceback of the source address including logging [19], packet marking [18] and using ICMP [3]. However traceback alone cannot be used for blocking attack …