Active packet filtering against DDoS attack

Abstract

Distributed Denial of Service (DDoS) attacks are one of the dominant and persistent threats to the security of the Internet nowadays. The aim of these attacks are mainly resource or the bandwidth consumption with enormous number of normal packets. Their target are at layer three or four of the network which are network and transport layers, where distinguishing a normal packet from a malicious one is an arduous task. However, these are not the only precarious aspects of DDoS attacks. A DDoS attacker may easily spoof its source IP address, to hide the origins of the attack. Therefore, developing a distributed defense ltering strategy which can e ciently detect and drop attack packets with the least possible false negative probability is crucial. In this thesis, we propose an incorporated ltering scheme in victim host and edge routers, which detects and drops the illegitimate packets while mitigating the huge amount of data coming toward the victim in edge routers. First, a novel anomaly detection based on feature statistical behavior and payload characteristics of normal and attack tra c is proposed. In the second step, a host-based ltering strategy that detects spoofed packets with a combination of IP history based and hops counting lters, is applied in victim side by means of an advanced matrix bloom lter. Along with this lter, the defense and availability of the service on the target is guaranteed by turning o several edge routers by optimization system. This optimization, selects edge routers to be turned o for the good throughput to reach to the victim via two optimization algorithms, (i) Genetic evolutionary algorithm and (ii) linear programming algorithm.