A Hash-Based Path Identification Scheme for DDoS Attacks Defense

Distributed Denial of Service (DDoS) attacks pose a major threat to today´s cyber security. Defense against these attacks is complicated by source IP address spoofing, which is exploited by attackers to conceal source IP addresses and localities of malicious traffic. In this paper, we propose HPi (Hash-based Path Identification), a novel packet marking scheme to defeat DDoS attacks regardless of forged IP addresses. Our scheme makes full use of a packet´s 16-bit IP Identification field to generate a unique identifier corresponding to a path the packet traverses. Each router along the path hashes the last 16 bits of its IP address into the IP Identification field. Thus the victim can identify every single received packet as legitimate or malicious on a per packet basis with high accuracy. And we develop different filtering strategies for victim servers with different capabilities. We also propose a new packet filtering mechanism, the HPi2HC filter, for the victim to distinguish between legitimate and malicious packets more accurately based on tuple of each packet. Simulation results show that the performance of our scheme is still quite promising even when only half of the routers in the network participate in packet marking. The HPi scheme is also lightweight, supporting incremental deployment, and is robust against randomly initial values in IP Identification field forged by sophisticated attackers.