A Robust IP Packets Filtering Mechanism to Protect Servers from DDoS Attacks

• Main Authors: Yi-Kun Peng, 彭義昆
• Other Authors: Hung-Min Sun
• Format: Others
• Language: en_US
• Published: 2004
• Online Access: http://ndltd.ncl.edu.tw/handle/56783413485292481359

碩士 === 國立清華大學 === 資訊系統與應用研究所 === 92 === DDoS attacks have occurred frequently in recent years, impacting the availability of Information Security. They also cause a great deal of damage to enterprises which provide web services. Therefore, the Internet servers need a robust IP packets filtering mechanism to strengthen their ability to resist DDoS attacks. To configure a firewall to filter out these attacks is hard due to the open nature of Internet servers. Furthermore, the flooding sources of attacks are spoofed, and the firewall is beset by the task of configuring appropriate rules. To cleverly identify packets that are legitimate from those that are malicious is a difficult task for a firewall. Therefore, we improve the idea of “Hop-Count Filtering” addressed by Cheng Jin, et al. to build a robust IP packets Filtering Mechanism. It can detect and reduce DDoS attacks by inspecting inbound packets with an IP address database. There are distinguishing features about our IP packets filtering mechanism: (1) The IP address database, we call the Address Table, has three fields to identify packets. They are source IP address, hop-counts, and priority. The use of priority field is our idea and allows good users to keep connections on the protected server under any situations. (2) Implement a three-dimension array structure to store our Address Table, and looking up addresses on the Address Table only takes O(1) time . (3) Use probing technologies to actively construct the Address Table, and make it sufficient to detect spoofed packets by having an appropriately sized Address Table. (4) Put a queue monitor on the protected servers to prevent running out of space resources. If it is close to being full, then we will start the filter to save space resources. To establish this robust IP packets filtering mechanism on an edge router or a firewall can dynamically block attacking traffic to protect our servers from DDoS attacks. We used the Netfilter technologies, a framework inside the Linux 2.4.x which is flexible and extendable, to implement it on a victim server. Finally, we use two DDoS attacks scenarios to evaluate this mechanism and analyze the influence of some important parameters on system performance and effectiveness. We will show that this mechanism is effective against DDoS attacks.