Title :
Mantlet Trilogy: DDoS Defense Deployable with Innovative Anti-Spoofing, Attack Detection and Mitigation
Author :
Du, Ping ; Nakao, Akihiro
Author_Institution :
NiCT, Tokyo, Japan
Abstract :
Distributed Denial of Service (DDoS) attacks have become one of the most serious threats to the Internet. In this paper, we propose Mantlet, an overlay-based approach to detect and mitigate DDoS attacks. Mantlet combines three innovative mechanisms for anti-spooflng, attack detection and mitigation, respectively. To circumvent IP spoofing, we first propose a probing mechanism named Bypass Check to authenticate the clients of TCP or UDP services. Then, Cumulative Sum (CUSUM) is adopted to detect DDoS attacks based on the abrupt change of sequential packet symmetry, the ratio of received to transmitted packets of a service. After detection, the suspicious flows that contribute to asymmetry are segregated and experience preferential dropping test (PDT). A suspicious flow is confirmed as malicious if it is unresponsive to packet drops. Finally, we implement Mantlet with Click and perform experiments on PlanetLab. The experimental results validate our analysis and show that Mantlet is applicable to not only TCP services but also UDP services.
Keywords :
Internet; computer network security; transport protocols; CUSUM; DDOS attack detection; DDOS attacks mitigation; IP spoofing; Mantlet trilogy; PDT; PlanetLab; TCP clients; UDP services; antispoofing; cumulative sum; distributed denial of service; internet; overlay-based approach; preferential dropping test; sequential packet symmetry; Authentication; Computer crime; Delay; IP networks; Internet; Servers; Tin;
Conference_Titel :
Computer Communications and Networks (ICCCN), 2010 Proceedings of 19th International Conference on
Conference_Location :
Zurich
Print_ISBN :
978-1-4244-7114-0
DOI :
10.1109/ICCCN.2010.5560170
