International Journal of Network Security, Vol.7, No.1, PP.70–81, July 2008 70 Detecting and Preventing IP-spoofed Distributed DoS Attacks Yao Chen 1 , Shantanu Das 1 , Pulak Dhar 2 , Abdulmotaleb El Saddik 1 , and Amiya Nayak 1 (Corresponding author: Shantanu Das) School of Information Technology and Engineering, University of Ottawa 1 800 King Edward Avenue, Ottawa, ON K1N 6N5, Canada (Email: shantdas@site.uottawa.ca) Cistel Technology Inc., 30 Concourse Gate, Unit 40, Ottawa, ON K2E 7V7, Canada 2 (Received Aug. 9, 2006; revised and accepted Nov. 8, 2006) Abstract In this paper, we explore mechanisms for defending against Distributed Denial of Service (DDoS) attacks, have become one of the major threats to the operation of the Internet today. We propose a novel scheme for de- tecting and preventing the most harmful and difficult to detect DDoS Attacks—those that use IP address spoof- ing to disguise the attack flow. Our scheme is based on a firewall that can distinguish the attack packets (con- taining spoofed source addresses) from the packets sent by legitimate users, and thus filters out most of the at- tack packets before they reach the victim. Unlike the other packet-marking based solutions, our scheme has a very low deployment cost; We estimate that an imple- mentation of this scheme would require the cooperation of only about 20% of the Internet routers in the marking process. The scheme allows the firewall system to config- ure itself based on the normal traffic of a Web server, so that the occurrence of an attack can be quickly and pre- cisely detected. We have extensively tested our scheme by simulating DDoS attacks with up to several thousand attackers and the experimental results show that more than 90% of attack packets can be effectively filtered-out without much affecting the flow of legitimate packets to the victim Web-server. Keywords: Distributed denial-of-service attacks, firewall, IP address spoofing, packet filtering 1 Introduction Today, the Internet is an essential part of our everyday life and many important and crucial services like bank- ing, shopping, transport, health, and communication are partly or completely dependent on the Internet. Accord- ing to recent sources [12, 13] the number of hosts con- nected to the internet has increased to almost 400 million and there are currently more than 1 billion users of the Internet. Thus, any disruption in the operation of the Internet can be very inconvenient for most of us. As the Internet was originally designed for openness and scalability without much concern for security, mali- cious users can exploit the design weaknesses of the in- ternet to wreak havoc in its operation. Incidents of dis- ruptive activities like e-mail viruses, computer worms and denial-of service attacks have been on the rise ([6] reports an increase of such incidents from 252 in 1990 to 137,529 in 2003). The incidents which has raised the most con- cern in recent years are the denial-of-service(DoS) attacks whose sole purpose is to reduce or eliminate the availabil- ity of a service provided over the Internet, to its legitimate users. This is achieved either by exploiting the vulnera- bilities in the software, network protocols, or operation systems, or by exhausting the consumable resources such as the bandwidth, computational time and memory of the victim. The first kind of attacks can be avoided by patching-up vulnerable software and updating the host systems from time to time. In comparison, the second kind of DoS attacks are much more difficult to defend. This works by sending a large number of packets to the target, so that some critical resources of the victim are ex- hausted and the victim can no longer communicate with other users. In the distributed form of DoS attacks (called DDoS), the attacker first takes control of a large number of vul- nerable hosts on the internet, and then uses them to si- multaneously send a huge flood of packets to the victim, exhausting all of its resources. There are a large num- ber of exploitable machines on the internet, which have weak security measures, for attackers to launch DDoS at- tacks, so that such attacks can be executed by an at- tacker with limited resources against the large, sophisti- cated sites. The attackers in DDoS attacks always modify the source addresses in the attack packets to hide their identity, and making it difficult to distinguish such pack- ets from those sent by legitimate users. This idea, called IP address spoofing has been used in major DDoS attacks in the recent past, including the attacks on e-commerce