An Effective Defense Against Distributed Denial of Service in GRID

IP spoofing has been exploited by distributed denial of service (DDoS) attacks to conceal flooding sources and localities in flooding traffic, and prevent legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victims is essential to their own protection as well as to their avoidance of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he or she cannot falsify the number of hops an IP packet takes to reach its destination. This hop-count information can be inferred from the time-to-live (TTL) value in the IP header. Using a mapping between IP addresses and their hop-counts to an Internet server, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique that is immediately deployable to weed out spoofed IP packets. We have an IP to hop count mapping table (IP2HC) to store the hop count values. We implement HCF in the Linux kernel, demonstrating its benefits using experimental measurements. We deploy the security mechanism in Globus Toolkit (GT4) to ensure that HCF can identify the spoofed packet in a grid environment.