Detecting DRDoS attacks by a simple response packet confirmation mechanism

Hiroshi Tsunoda; Kohei Ohta; Atsunori Yamamoto; Nirwan Ansari; Yuji Waizumi; Yoshiaki Nemoto

doi:10.1016/j.comcom.2008.05.033

Detecting DRDoS attacks by a simple response packet confirmation mechanism

Hiroshi Tsunoda, Kohei Ohta, Atsunori Yamamoto, Nirwan Ansari, Yuji Waizumi, Yoshiaki Nemoto

INF - Applied Information Sciences

Research output: Contribution to journal › Article › peer-review

26 Citations (Scopus)

Abstract

In this paper, we propose a simple and robust method to detect Distributed Reflective Denial of Service (DRDoS) attacks. In DRDoS attacks, the victim is bombarded by reflected response packets from legitimate hosts, and thus it is difficult to distinguish attack packets from legitimate packets. We focus on the fact that the types of packets used for DRDoS are limited and predictable. Hence, the proposed method monitors only limited pairs of requests and responses, and confirms the validity of the received response packets based on the request-response relationship. Therefore, the proposed method does not need complicated state management such as the stateful inspection method, and thus the detection mechanism becomes simple. We also analyze the complexity of the proposed method, and show that the proposed method requires low processing cost as compared with the conventional method. Through experiments using a real networking environment, we demonstrate that the proposed method can accurately detect DRDoS packets at a low cost.

Original language	English
Pages (from-to)	3299-3306
Number of pages	8
Journal	Computer Communications
Volume	31
Issue number	14
DOIs	https://doi.org/10.1016/j.comcom.2008.05.033
Publication status	Published - 2008 Sep 5

Keywords

Detection
Distributed reflection DoS
Response confirmation

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1016/j.comcom.2008.05.033

Fingerprint Dive into the research topics of 'Detecting DRDoS attacks by a simple response packet confirmation mechanism'. Together they form a unique fingerprint.

Cite this

@article{fabd02ffb263451c88c7bcb279e9f229,

title = "Detecting DRDoS attacks by a simple response packet confirmation mechanism",

abstract = "In this paper, we propose a simple and robust method to detect Distributed Reflective Denial of Service (DRDoS) attacks. In DRDoS attacks, the victim is bombarded by reflected response packets from legitimate hosts, and thus it is difficult to distinguish attack packets from legitimate packets. We focus on the fact that the types of packets used for DRDoS are limited and predictable. Hence, the proposed method monitors only limited pairs of requests and responses, and confirms the validity of the received response packets based on the request-response relationship. Therefore, the proposed method does not need complicated state management such as the stateful inspection method, and thus the detection mechanism becomes simple. We also analyze the complexity of the proposed method, and show that the proposed method requires low processing cost as compared with the conventional method. Through experiments using a real networking environment, we demonstrate that the proposed method can accurately detect DRDoS packets at a low cost.",

keywords = "Detection, Distributed reflection DoS, Response confirmation",

author = "Hiroshi Tsunoda and Kohei Ohta and Atsunori Yamamoto and Nirwan Ansari and Yuji Waizumi and Yoshiaki Nemoto",

year = "2008",

month = sep,

day = "5",

doi = "10.1016/j.comcom.2008.05.033",

language = "English",

volume = "31",

pages = "3299--3306",

journal = "Computer Communications",

issn = "0140-3664",

publisher = "Elsevier",

number = "14",

}

TY - JOUR

T1 - Detecting DRDoS attacks by a simple response packet confirmation mechanism

AU - Tsunoda, Hiroshi

AU - Ohta, Kohei

AU - Yamamoto, Atsunori

AU - Ansari, Nirwan

AU - Waizumi, Yuji

AU - Nemoto, Yoshiaki

PY - 2008/9/5

Y1 - 2008/9/5

N2 - In this paper, we propose a simple and robust method to detect Distributed Reflective Denial of Service (DRDoS) attacks. In DRDoS attacks, the victim is bombarded by reflected response packets from legitimate hosts, and thus it is difficult to distinguish attack packets from legitimate packets. We focus on the fact that the types of packets used for DRDoS are limited and predictable. Hence, the proposed method monitors only limited pairs of requests and responses, and confirms the validity of the received response packets based on the request-response relationship. Therefore, the proposed method does not need complicated state management such as the stateful inspection method, and thus the detection mechanism becomes simple. We also analyze the complexity of the proposed method, and show that the proposed method requires low processing cost as compared with the conventional method. Through experiments using a real networking environment, we demonstrate that the proposed method can accurately detect DRDoS packets at a low cost.

AB - In this paper, we propose a simple and robust method to detect Distributed Reflective Denial of Service (DRDoS) attacks. In DRDoS attacks, the victim is bombarded by reflected response packets from legitimate hosts, and thus it is difficult to distinguish attack packets from legitimate packets. We focus on the fact that the types of packets used for DRDoS are limited and predictable. Hence, the proposed method monitors only limited pairs of requests and responses, and confirms the validity of the received response packets based on the request-response relationship. Therefore, the proposed method does not need complicated state management such as the stateful inspection method, and thus the detection mechanism becomes simple. We also analyze the complexity of the proposed method, and show that the proposed method requires low processing cost as compared with the conventional method. Through experiments using a real networking environment, we demonstrate that the proposed method can accurately detect DRDoS packets at a low cost.

KW - Detection

KW - Distributed reflection DoS

KW - Response confirmation

UR - http://www.scopus.com/inward/record.url?scp=49649095338&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=49649095338&partnerID=8YFLogxK

U2 - 10.1016/j.comcom.2008.05.033

DO - 10.1016/j.comcom.2008.05.033

M3 - Article

AN - SCOPUS:49649095338

VL - 31

SP - 3299

EP - 3306

JO - Computer Communications

JF - Computer Communications

SN - 0140-3664

IS - 14

ER -