StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

Citations Over TimeTop 10% of 2006 papers

Abstract

Today's Internet hosts are threatened by large-scale distributed denial-of-service (DDoS) attacks. The path identification (Pi) DDoS defense scheme has recently been proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received (Yaar , 2003). In this paper, we propose the StackPi marking, a new packet marking scheme based on Pi, and new filtering mechanisms. The StackPi marking scheme consists of two new marking methods that substantially improve Pi's incremental deployment performance: Stack-based marking and write-ahead marking. Our scheme almost completely eliminates the effect of a few legacy routers on a path, and performs 2–4 times better than the original Pi scheme in a sparse deployment of Pi-enabled routers. For the filtering mechanism, we derive an optimal threshold strategy for filtering with the Pi marking. We also develop a new filter, the PiIP filter, which can be used to detect Internet protocol (IP) spoofing attacks with just a single attack packet. Finally, we discuss in detail StackPi's compatibility with IP fragmentation, applicability in an IPv6 environment, and several other important issues relating to potential deployment of StackPi.

Related Papers

• → DDoS Attacks—Analysis and Prevention(2018)32 cited
• → StackPi : a new defense mechanism against IP spoofing and DDoS attacks(2018)28 cited
• → A SINGLE-PACKET IP TRACEBACK: COMBATING DOS-DDOS ATTACKS(2021)3 cited
• → IP Traceback using Flow Based Classification(2019)1 cited
• Entropy Variation Based Detecting DDoS Attack in Large Scale Networks(2012)