Intrusion detection routers: Design, implementation and evaluation using an experimental testbed

IEEE Journal on Selected Areas in Communications

Volumn 24, Issue 10, 2006, Pages 1889-1899

  Chan, Eric Y K ^a   Chan, H W ^a   Chan, K M ^a   Chan, P S ^a   Chanson, Samuel T ^b   Cheung, M H ^a   Chong, C F ^a   Chow, K P ^a   Hui, Albert K T ^b   Hui, Lucas C K ^a   Ip, S K ^a   Lam, C K ^a   Lau, W C ^c   Pun, K H ^a   Tsang, Y F ^a   Tsang, W W ^a   Tso, C W ^a   Yeung, D Y ^b   Yiu, S M ^a   Yu, K Y ^a   Ju, Weihua ^a   more..

^a UNIVERSITY OF HONG KONG   (Hong Kong)

^b HONG KONG UNIVERSITY OF SCIENCE AND TECHNOLOGY   (Hong Kong)

^c CHINESE UNIVERSITY OF HONG KONG   (Hong Kong)

Author keywords

Distributed denial of service (DDoS); Intrusion detection; Routers; Testbed

Indexed keywords

DISTRIBUTED DENIAL-OF-SERVICE (DDOS); INTRUSION DETECTION; TESTBED;

COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; DISTRIBUTED COMPUTER SYSTEMS; INTERNET; ONLINE SYSTEMS; SECURITY OF DATA;

ROUTERS;

EID: 33749851980     PISSN: 07338716     EISSN: None     Source Type: Journal    
DOI: 10.1109/JSAC.2006.877214     Document Type: Article

References (43)

1. W. Almesberger, Linux "Network traffic control-Implementation overview," 1999. [Online], Available: http://diffserv.sourceforge.net/
2. Traffic Management Specification ver. 4.1, (AF-TM-0121.000), 1999, The ATM Forum Technical Committee.
3. B. Babcock, S Babu, M Datar, R Motwani, and J. Widom, "Models and issues in data stream systems," in Proc. ACM Symp. Principles Datab. Syst., Jun/ 2002, pp. 1-16.
4. J Barlow and W Thrower, "TFN2K - An analysis," Mar. 2003. [Online]. Available: http://ecurityresponse.Symantec.com/avcenter/security/ Content/2000$_$02$_$10$_$a.html, (revision 1.3).
5. S. M. Bellovin, M Leech, and T Taylor, "ICMP traceback messages," Internet Draft, draft-ietf-itrace-01.txt, Oct. 2001.
6. D. J. Bernstein, "Syn cookies," 1996. [Online]. Available: http://cr.yp.to/syncookies.html
7. B. Bloom, "Space/time trade-offs in hash coding with allowable errors," in Proc. Commun. ACM, Jul. 1970, vol. 13, pp. 422-426.
8. A. Broder and M. Mitzenmacher, "Network applications of Bloom filters: A survey, 2002," in Proc. 40th Annu. Allerton Conf. Commun., Control, Comput., 2002, pp. 636-646.
9. H. Burch and B Cheswick, "Tracing anonymous packets to their approximate source," in Proc. USENIX LISA, 2000, pp. 319-328.
10. E. Chan, "IDR: Intrusion detection router for defending distributed denial-of-service (DDoS) attack," in Proc ISPAN, May 2004, pp. 581-586.
11. K. J. Houle, G. M. Weaver, N. Long, and R. Thomas, "Trends in denial of service attack technology," C.ERT/Coordination Center, 2001. [Online]. Available: http://www.cert.org/archive/pdf/DoSS_Strends.pdf
12. Computer Security Institute and Federal Bureau of Investigation, "CSI/FBI computer crime and security survey," 2003. [Online]. Available: http://www.gocsi.com
13. U.S. Department of Homeland Security, "The national strategy to security Cyberspace," 2003. [Online]. Available: http://www.dhs.gov/ interweb/assetlibrary/National_Cyberspace_S trategy.pdf
14. C. Estan and G. Varghese, "New directions in traffic measurement and accounting," in Proc. SIGCOMM, 2002, pp. 323-336.
15. W. C. Feng, K. G. Shin, D. Kandlur, and D. Saha, "Stochastic fair blue: A queue management algorithm for enforcing fairness," in Proc. IEEE INFOCOM, Apr. 2001, pp. 1520-1529.
16. P. Ferguson and D. Senie, "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing," IETF, RFC2827, May 2000.
17. S Floyd and V. Jacobson, "Link-sharing and resource management models for packet networks," IEEE/ACM Trans. Netw., vol. 3, no. 4, pp. 365-386, Aug. 1995.
18. S. Floyd, "Notes of class-based queueing: Setting parameters," 1995. [Online], Available: ftp://ftp.ee.lbl.gov/papers/params.ps.Z, Informal notes
19. Chao Gong, Trinh Le, Turgay Korkmaz, and Kamil Sarac, "Single packet IP traceback in AS-level partial deployment scenario," in Proc. IEEE GLOBECOM, 2005, pp. 1817-1821.
20. A. Hussain, J. Heidemann, and C. Papadopoulos, "A framework for classifying denial of service attacks," in Proc. ACM SIGCOMM, Karlsruhe, Germany, Aug. 2003, pp. 99-110.
21. V. acobson and M. J. Karels, "Congestion avoidance and control," in Proc. ACM SIGCOMM, 1988, pp. 314-329.
22. H. Jiang and C. Dovrolis, "Source-level IP packets bursts: Causes and effects," in Proc. ACM Internet Measurements Conf., Miami, FL, Oct. 2003, pp. 301-306.
23. S. Jin and D. S. Yeung, IEEE Commun. Soc., 2004.
24. Y. Kim, W. C. Lau, M. C. Chuah, and J. H. Chao, "PacketScore: Statistical-based overload control against distributed denial of service attacks," in Proc. IEEE INFOCOM, Mar. 2004, pp. 2594-2604.
25. R. M. Karp, S. Shenker, and C. H. Papadimitriou, "A simple algorithm for finding frequent elements in streams and Bags," ACM Trans. Datab. Syst., vol. 28, no. 1, pp. 51-55, Mar. 2003.
26. C. Krügel, T. Toth, and E. Kirda, "Service specific anomaly detection for network intrusion detection," ACM SAC, pp. 201-208, 2002.
27. [Online], Available: http://www.tcpdump.org/
28. D. Liu and F. Huebner, "Application profiling of ip traffic," in Proc. 27th Annu. IEEE Conf. Local Comput. Netw., 2002, pp. 220-229.
29. R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, "Controlling high bandwidth aggregates in the network," AC1RI & AT&T Labs Res., Tech. Rep., Jul. 2001.
30. G. Marsaglia, "Xorshift RNGs," J. Statistical Software, vol. 8, no. 14, pp. 1-6, 2003.
31. J. Mirkovic, P. Reiher, and G. Prier, "Attacking DDoS at the source," in Proc. ICNP, Nov. 2002, pp. 312-321.
32. D. Moore, G. M. Voelker, and S. Savage, "Inferring Internet denial-of-service activity," in Proc. 10th USENIX Security, 2001, pp. 9-22.
33. [Online]. Available: http://www-nrg.ee.lbl.gov/ns
34. S. K. Rayanchu and G. Barua, "Tracing attackers with deterministic edge router marking (DERM)," in Proc. 1st Int. Conf. Distrib. Comput. Internet Technol., 2004, pp. 49-52.
35. S. K. Rayanchu, "Defending against slave and reflector attacks," in Proc. Nat. Conf. Commun., 2005, Invited Lecture.
36. P. R. Russell, "Unreliable guide to kernel hacking," Distributed with the 2.3.99 Linux RedHat Kernel, 2000.
37. P. R. Russell and H. Welte, Linux netfilter Hacking HOWTO 2002. [Online], Available: http://www.netfilter.org/
38. J. H. Salim, R. Olsson, and A. Kuznetsov, "Beyond softnet," in Proc. 5th Annu. Linux Showcase Conf., 2001, pp. 165-172.
39. S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical network support for IP traceback," in Proc. ACM SIGCOMM, Aug. 2000, pp. 295-306.
40. A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, "Hash-based IP traceback," in Proc. ACM SIGCOMM, Aug. 2001, pp. 3-14.
41. P. Vixie, G. Sneeringer, and M. Schleifer, "Event Report," Events of 21-Oct-2002 [Online]. Available: http://d.root-servers.org/october21. txt
42. A. Yaar, A. Perrig, and D. Song, "Pi: A path identification mechanism to defend against DDoS attacks," in Proc. IEEE Symp. Security Privacy, 2003, pp. 93-107.
43. D. K. Y. Yau, J. C. S. Lui, F. Liang, and Y. Yam, "Defending Against distributed denial-of-service attacks with max-min fair server-centric router throttles," IEEE/ACM Trans. Netw., vol. 13, no. 1, pp. 29-42, 2005.