Title :
MAFIC: adaptive packet dropping for cutting malicious flows to push back DDoS attacks
Author :
Chen, Yu ; Kwok, Yu-Kwong ; Hwang, Kai
Author_Institution :
Univ. of Southern California, Los Angeles, CA, USA
Abstract :
In this paper, we propose a new approach called MAFIC (malicious flow identification and cutoff) to support adaptive packet dropping to fend off DDoS attacks. MAFIC works by judiciously issuing lightweight probes to flow sources to check if they are legitimate. Through such probing, MAFIC would drop malicious attack packets with high accuracy while minimizes the loss on legitimate traffic flows. Our NS-2 based simulation indicates that MAFIC algorithm drops packets from unresponsive potential attack flows with an accuracy as high as 99% and reduces the loss of legitimate flows to less than 3%. Furthermore, the false positive and negative rates are low-only around 1% for a majority of the cases.
Keywords :
Internet; packet switching; telecommunication network routing; telecommunication security; telecommunication traffic; DDoS attacks; MAFIC; NS-2 based simulation; adaptive packet dropping; duplicated ACK; malicious flow identification and cutoff; Computer crime; Contracts; Councils; Information filtering; Information filters; Internet; Probes; Protection; Telecommunication traffic; Traffic control; DDoS defense; duplicated ACKs; malicious flows; packet dropping policy; probing;
Conference_Titel :
Distributed Computing Systems Workshops, 2005. 25th IEEE International Conference on
Print_ISBN :
0-7695-2328-5
DOI :
10.1109/ICDCSW.2005.84
