The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Les attaques par déni de service distribué sur les serveurs publics sont récemment devenues plus graves. La plupart d'entre elles sont des attaques par inondation SYN, car les attaquants malveillants peuvent facilement exploiter la spécification TCP pour générer du trafic rendant les serveurs publics indisponibles. Nous avons besoin d'une méthode de défense capable de protéger le trafic légitime afin que les utilisateurs finaux puissent se connecter aux serveurs cibles lors de telles attaques. Dans cet article, nous proposons un nouveau cadre dans lequel toutes les connexions TCP aux serveurs victimes d'un domaine sont maintenues au niveau des passerelles du domaine (c'est-à-dire à proximité des clients). Nous appelons les nœuds maintenant la connexion TCP nœuds de défense. Les nœuds de défense vérifient si les paquets arrivant sont légitimes ou non en maintenant la connexion TCP. Autrement dit, les nœuds de défense délèguent les paquets de réponse aux paquets de demande de connexion reçus et identifient les paquets légitimes en vérifiant si les clients répondent aux paquets de réponse. Ensuite, seul le trafic identifié est relayé via des réseaux superposés. De ce fait, en déployant les nœuds de défense au niveau des passerelles d'un domaine, les paquets légitimes du domaine sont relayés indépendamment des autres paquets incluant les paquets d'attaque et protégés. Nos résultats de simulation montrent que notre méthode peut protéger le trafic légitime du domaine déployant notre méthode. Nous décrivons également le scénario de déploiement de notre mécanisme de défense.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copier
Yuichi OHSITA, Shingo ATA, Masayuki MURATA, "Deployable Overlay Network for Defense against Distributed SYN Flood Attacks" in IEICE TRANSACTIONS on Communications,
vol. E91-B, no. 8, pp. 2618-2630, August 2008, doi: 10.1093/ietcom/e91-b.8.2618.
Abstract: Distributed denial-of-service attacks on public servers have recently become more serious. Most of them are SYN flood attacks, since the malicious attackers can easily exploit the TCP specification to generate traffic making public servers unavailable. We need a defense method which can protect legitimate traffic so that end users can connect the target servers during such attacks. In this paper, we propose a new framework, in which all of the TCP connections to the victim servers from a domain are maintained at the gateways of the domain (i.e., near the clients). We call the nodes maintaining the TCP connection defense nodes. The defense nodes check whether arriving packets are legitimate or not by maintaining the TCP connection. That is, the defense nodes delegate reply packets to the received connection request packets and identify the legitimate packets by checking whether the clients reply to the reply packets. Then, only identified traffic are relayed via overlay networks. As a result, by deploying the defense nodes at the gateways of a domain, the legitimate packets from the domain are relayed apart from other packets including attack packets and protected. Our simulation results show that our method can protect legitimate traffic from the domain deploying our method. We also describe the deployment scenario of our defense mechanism.
URL: https://global.ieice.org/en_transactions/communications/10.1093/ietcom/e91-b.8.2618/_p
Copier
@ARTICLE{e91-b_8_2618,
author={Yuichi OHSITA, Shingo ATA, Masayuki MURATA, },
journal={IEICE TRANSACTIONS on Communications},
title={Deployable Overlay Network for Defense against Distributed SYN Flood Attacks},
year={2008},
volume={E91-B},
number={8},
pages={2618-2630},
abstract={Distributed denial-of-service attacks on public servers have recently become more serious. Most of them are SYN flood attacks, since the malicious attackers can easily exploit the TCP specification to generate traffic making public servers unavailable. We need a defense method which can protect legitimate traffic so that end users can connect the target servers during such attacks. In this paper, we propose a new framework, in which all of the TCP connections to the victim servers from a domain are maintained at the gateways of the domain (i.e., near the clients). We call the nodes maintaining the TCP connection defense nodes. The defense nodes check whether arriving packets are legitimate or not by maintaining the TCP connection. That is, the defense nodes delegate reply packets to the received connection request packets and identify the legitimate packets by checking whether the clients reply to the reply packets. Then, only identified traffic are relayed via overlay networks. As a result, by deploying the defense nodes at the gateways of a domain, the legitimate packets from the domain are relayed apart from other packets including attack packets and protected. Our simulation results show that our method can protect legitimate traffic from the domain deploying our method. We also describe the deployment scenario of our defense mechanism.},
keywords={},
doi={10.1093/ietcom/e91-b.8.2618},
ISSN={1745-1345},
month={August},}
Copier
TY - JOUR
TI - Deployable Overlay Network for Defense against Distributed SYN Flood Attacks
T2 - IEICE TRANSACTIONS on Communications
SP - 2618
EP - 2630
AU - Yuichi OHSITA
AU - Shingo ATA
AU - Masayuki MURATA
PY - 2008
DO - 10.1093/ietcom/e91-b.8.2618
JO - IEICE TRANSACTIONS on Communications
SN - 1745-1345
VL - E91-B
IS - 8
JA - IEICE TRANSACTIONS on Communications
Y1 - August 2008
AB - Distributed denial-of-service attacks on public servers have recently become more serious. Most of them are SYN flood attacks, since the malicious attackers can easily exploit the TCP specification to generate traffic making public servers unavailable. We need a defense method which can protect legitimate traffic so that end users can connect the target servers during such attacks. In this paper, we propose a new framework, in which all of the TCP connections to the victim servers from a domain are maintained at the gateways of the domain (i.e., near the clients). We call the nodes maintaining the TCP connection defense nodes. The defense nodes check whether arriving packets are legitimate or not by maintaining the TCP connection. That is, the defense nodes delegate reply packets to the received connection request packets and identify the legitimate packets by checking whether the clients reply to the reply packets. Then, only identified traffic are relayed via overlay networks. As a result, by deploying the defense nodes at the gateways of a domain, the legitimate packets from the domain are relayed apart from other packets including attack packets and protected. Our simulation results show that our method can protect legitimate traffic from the domain deploying our method. We also describe the deployment scenario of our defense mechanism.
ER -