| Defending against Distributed Denial of Service attacks is one of the hardest security problems on the Internet today. One difficulty to thwart these attacks is that a vast number of insecure machines exist in the Internet, attack tools can easily be downloaded and the attacks often use spoofed IP source address. So, doing research on DDoS attacks and their countermeasures is very important.In this paper, the mechanism, methods of and countermeasures to DDoS attacks are reviewed. Especially, several packet marking schemes for IP traceback are discussed. After that, an adjusted probabilistic packet marking scheme is proposed, which reduces the number of packets to reconstruct the attack path, thus the victim could respond to attack more promptly.Knowing that the routers may overwrite the information contained in the marking field marked by upstream routers, a non-preemptive packet marking scheme with an adjusted probability is proposed. With this scheme being adopted, it takes lower network and router overhead, fewer false positive rate and uncertainty of the IP traceback.All existing packet marking schemes are not adapted in Distributed Reflector Denial of Service attacks, since the marked information written by routers between the attack and the reflectors will be lost. Based on it, the improved non-preemptive packet marking scheme is proposed. In this method, a hash table is used to store and copy the marked information on reflectors. The experiment results show the few packets are needed in path reconstruction also saves time for the victim and reduces the ability for attacks to spoof. |
PDF Full Text Request