Packet Marking Based Cooperative Attack Response Service for Effectively Handling Suspicious Traffic

  • Gaeil An
  • Joon S. Park
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4318)


The security vulnerabilities in a network environment and their corresponding countermeasures have become more critical issues than ever. Although many researchers and vendors have introduced powerful mechanisms such as Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) for network security, the packet-based decision is not always correct, especially when those systems are involved in network traffics across multiple organizations under different security policies. In fact, some legitimate (normal) network traffics produce a similar pattern to that of malicious traffics such as Distributed Denial of Service (DDoS), and vice versa. We call those traffics suspicious. Suspicious traffic cannot be clearly designated as malicious or normal traffic. Since traditional IDS or IPS approaches make a simple binary decision (i.e., allow or reject) based on pre-defined rules, there is a high possibility that suspicious/legitimate packets are rejected or suspicious/malicious packets are allowed. To enhance the quality of service in a network environment, we propose in this paper a Packet Marking-Based Cooperative Attack Response Service (pm-CARS) that is able to effectively deal with suspicious network traffic. pm-CARS nodes cooperate with each other by using packet-marking. These pm-CARS nodes mark suspicious packets instead of dropping them. All the marked packets are forwarded to the next node using a low priority of service designation, which indicates the drop probability is very high. Our pm-CARS includes two schemes: abnormal IP address detection and abnormal excess traffic detection schemes. Our pm-CARS can reduce the false-positive rate and can protect the quality of service for innocent traffic from attacks. Finally, we simulate our ideas in a network environment and discuss the evaluation results.


Network Security Attack Response Denial of Service Attack Packet Marking Quality of Service 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Geng, X., Whinston, A.B.: Defeating Distributed Denial of Service Attacks. IT Pro., pp. 36–41 (2000)Google Scholar
  2. 2.
    Mirkovic, J., Reiher, P.: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. ACM SIGCOMM Computer Communications Review 34(2), 39–53 (2004)CrossRefGoogle Scholar
  3. 3.
    Risson, J., Moors, T.: Survey of Research towards Robust Peer-to-Peer Networks: Search Methods. IRTF draft-irtf-p2prg-survey-search-00.txt (2006)Google Scholar
  4. 4.
    Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In: The 11th International World Wide Web Conference, pp. 252–262 (2002)Google Scholar
  5. 5.
    Afek, Y.: DDoS: Why You Need to Worry (How to Solve The Problem). In: 30th Annual computer security conference and Exhibition (2003)Google Scholar
  6. 6.
    Mahajan, R., Bellovin, S.M., Floyd, S., et al.: Controlling High Bandwidth Aggregates in the Network. ACM SIGCOMM Computer Communications Review 32(3), 62–73 (2002)CrossRefGoogle Scholar
  7. 7.
    Yau, D.K.Y., Lui, J.C.S., Liang, F.: Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In: Tenth IEEE International Workshop on Quality of Service, pp. 35–44 (2002)Google Scholar
  8. 8.
    Houle, K.J., Weaver, G.M.: Trends in Denial of Service Attack Technology. The fall 2001 NANOG meeting (2001)Google Scholar
  9. 9.
    Nichols, K., Blake, S., Baker, F., Black, D.: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. IETF RFC 2474Google Scholar
  10. 10.
    Baker, F., Weiss, W., Wroclawski, J.: Assured Forwarding PHB Group. IETF RFC 2597Google Scholar
  11. 11.
    Jacobson, V., Nichols, K., Poduri, K.: An Expedited Forwarding PHB. IETF RFC 2598Google Scholar
  12. 12.
    Leckie, C., Kotagiri, R.: A Probabilistic Approach to Detecting Network Scans. In: IEEE Network Operations and Management Symposium, pp. 359–372 (2002)Google Scholar
  13. 13.
    Schechter, S., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: 12th USENIX Security Symposium (2003)Google Scholar
  15. 15.
    Templeton, S.J., Levitt, K.E.: Detecting Spoofed Packets. In: DARPA Information Survivability Conference and Exposition (2003)Google Scholar
  16. 16.
    Cisco: Unicast Reverse Path Forwarding (uRPF) Enhancements for the ISP-ISP Edge (2001),
  17. 17.
    UCB/LBNL/VINT: Network simulator (ns) Notes and Documentation,

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Gaeil An
    • 1
  • Joon S. Park
    • 1
  1. 1.The Laboratory for Applied Information Security Technology (LAIST), School of Information StudiesSyracuse UniversitySyracuseUSA

Personalised recommendations