A Divide-and-Conquer Strategy for Thwarting

DDoS AttacksRandolph Marchany (VT)

Jung-Min Park (VT)Ruiliang Chen (VT)

Presented by Panoat Chuchaisri

Outline

• Proposed scheme– AD : Attack Diagnosis– PAD : Parallel Attack Diagnosis

• Overview

• Simulation Results

• Conclusion

AD & PAD Features

• Support ideal DDoS countermeasure paradigm

• No overhead during normal traffic

• Deterministic packet marking

• Provide adjustable parameter

• Do not require global key distribution

Overview

PID

4-8-24-42

Overview (contd.)

• Mark packet using 16-bit identification field and 1 reserved bit in IP header

• Use– a-bit hop-count field– b-bit PID field– c-bit XOR field

a + b + c = 17 , b ≥ c

Overview (contd.)

• ADMM (Active DMM)– Set hop-count field to zero– Copy own PID into PID field– Copy last c bits of PID to XOR field

• PDMM (Passive DMM)– Increase hop-count field by one– XOR field = last c bits of PID XOR field

AD

DAI

■ ADMM

■ PDMM

2742 21

24762

DAI

DII 42

36528

4729

1821 4

DII 24

PAD• Traceback multiple attack path

simultaneously

• DII 42 → DII 42,27

• Identify upstream interface using XOR

hop PID XOR

PAD

DAI DII 27,42

2742 21

2462 72450

19

042 42

27 27

24 50

50 411

Simulation Results

Simulation Results(contd.)

Simulation Results (contd.)

UNACCEPTABLE

Conclusion

• AD and PAD employ divide-and-conquer strategy to isolate attackers

• Combine traceback and filtering technique

• Suffer deployment problem

Thank You!