CaltechAUTHORS
  A Caltech Library Service
Login

Hop-count filtering: an effective defense against spoofed DDoS traffic

Jin, Cheng and Wang, Haining and Shin, Kang G. (2003) Hop-count filtering: an effective defense against spoofed DDoS traffic. In: CCS '03 Proceedings of the 10th ACM conference on Computer and communications security. ACM , New York, NY, pp. 30-41. ISBN 1-58113-738-9. https://resolver.caltech.edu/CaltechAUTHORS:20161107-170635570

Full text is not posted in this repository. Consult Related URLs below.

Use this Persistent URL to link to this item: https://resolver.caltech.edu/CaltechAUTHORS:20161107-170635570

Abstract

IP spoofing has been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victims is essential to their own protection as well as to their avoidance of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he or she cannot falsify the number of hops an IP packet takes to reach its destination. This hop-count information can be inferred from the Time-to-Live (TTL) value in the IP header. Using a mapping between IP addresses and their hop-counts to an Internet server, the server can distinguish spoofed IP packets from legitimate ones. Base on this observation, we present a novel filtering technique that is immediately deployable to weed out spoofed IP packets. Through analysis using network measurement data, we show that Hop-Count Filtering (HCF) can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its benefits using experimental measurements.


Item Type:Book Section
Related URLs:
URLURL TypeDescription
http://dx.doi.org/10.1145/948109.948116DOIArticle
http://dl.acm.org/citation.cfm?doid=948109.948116PublisherArticle
Additional Information:© 2003 ACM.
Subject Keywords:Algorithms, Performance, Security, security, networking, DDoS defense, TTL, host-based
Classification Code:C.2 [ Computer-Communication Networks ]: Security
DOI:10.1145/948109.948116
Record Number:CaltechAUTHORS:20161107-170635570
Persistent URL:https://resolver.caltech.edu/CaltechAUTHORS:20161107-170635570
Official Citation:Cheng Jin, Haining Wang, and Kang G. Shin. 2003. Hop-count filtering: an effective defense against spoofed DDoS traffic. In Proceedings of the 10th ACM conference on Computer and communications security (CCS '03). ACM, New York, NY, USA, 30-41. DOI=http://dx.doi.org/10.1145/948109.948116
Usage Policy:No commercial reproduction, distribution, display or performance rights in this work are provided.
ID Code:71792
Collection:CaltechAUTHORS
Deposited By:INVALID USER
Deposited On:08 Nov 2016 17:30
Last Modified:11 Nov 2021 04:51

Repository Staff Only: item control page

CaltechAUTHORS is powered by EPrints 3.3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.