Since late 1999, DDoS (Distributed
Denial of Service) attack has
drawn many attentions from both research
and industry communities.
Many potential solutions (e.g., ingress
filtering, packet marking
or tracing, and aggregate-based congestion
control or rate limiting)
have been proposed to handle this network
bandwidth consumption attack.
Among them, "ICMP traceback (iTrace)"
is currently being considered as
an industry standard by IETF (Internet
Engineering Task Force). While
the idea of iTrace is very clever, efficient,
reasonably secure and
practical, it suffers a performance problem
such that the chance for
"useful" and "valuable" iTrace messages
in a short period of time can
be small against various types of DDoS
attacks. In fact, in some cases,
most of the network resources spent on
generating and utilizing iTrace
messages will be wasted. Therefore, we
propose a simple enhancement
called "Intention-Driven" iTrace, which
conceptually introduces an
extra bit in the routing and forwarding
process. With the new
"intention-bit", it is shown that, through
our simulation study,
the performance of iTrace improves dramatically.
This work has been
proposed to IETF's ICMP Trace-Back working
group.
Dr. S. (Shyhtsun) Felix Wu
wu@cs.ucdavis.edu
Associate Professor
http://www.cs.ucdavis.edu/~wu
Computer Science Department
office: 1-530-754-7070
University of California at Davis
fax: 1-530-752-4767