Abstract

Distributed denial of service (DDoS) attacks represent a significant threat for companies, affecting them on a regular basis, as reported in the 2013 Information Security Breaches Survey (Technical Report. http://www.pwc.co.uk/assets/pdf/cyber-security-2013-technical-report.pdf.). The most common target is web services, the downtime of which could lead to significant monetary costs and loss of reputation. IP spoofing is often used in DDoS attacks not only to protect the identity of offending bots but also to overcome IP-based filtering controls. This paper aims to propose a new multi-layer IP Spoofing detection mechanism, called fuzzy hybrid spoofing detector (FHSD), which is based on source MAC address, hop count, GeoIP, OS passive fingerprinting and web browser user agent. The hop count algorithm has been optimized to limit the need for continuous traceroute requests, by querying the subnet IP Address and GeoIP information instead of individual IP addresses. FHSD uses fuzzy empirical rules and fuzzy largest of maximum operator to identify offensive IPs and mitigate offending traffic. The proposed system was developed and tested against the BoNeSi DDoS emulator with encouraging results in terms of detection and performance. Specifically, FHSD analysed 10 000 packets, and correctly identified 99.99% of spoofed traffic in <5 s. It also reduced the need for traceroute requests by 97%.

DOI

10.1093/comjnl/bxu007

Publication Date

2015-04-01

Publication Title

The Computer Journal

Volume

58

Issue

4

Publisher

Oxford University Press (OUP)

ISSN

1460-2067

Embargo Period

2024-11-22

First Page

892

Last Page

903

Additional Files
UoP_Deposit_Agreement v1.1 20160217.pdf (123 kB)
Download

Share

COinS