Professional Documents
Culture Documents
1, 2010
A backpressure technique for filtering spoofed traffic at upstream routers S. Malliga* and A. Tamilarasi
Department of Computer Science and Engineering, Kongu Engineering College, Perundurai, Erode 638 052, Tamil Nadu, India E-mail: mallisenthil@yahoo.com E-mail: drtamil@kongu.ac.in *Corresponding author
Abstract: Ever increasing rate of Denial of Service (DoS) attacks presents severe security threats to the internet. In this study, a backpressure scheme to lter DoS attack trafc at the earliest possible is presented. This paper utilises markings stamped in the packets by the routers to detect DoS attacks. To improve the accuracy of detection, the detection process is augmented with hop count values from IP header. A backpressure technique partially deployed at the upstream routers is also proposed to prevent congestion at victim. Simulation studies show that our scheme drops most of the attack trafc at the earliest time. Keywords: DoS; denial of service; security; packet marking; hop count; backpressure; partial deployment. Reference to this paper should be made as follows: Malliga, S. and Tamilarasi, A. (2010) A backpressure technique for ltering spoofed trafc at upstream routers, Int. J. Security and Networks, Vol. 5, No. 1, pp.314. Biographical notes: Malliga Subramanian has obtained her Master Degree in Computer Science and Engineering from Anna University, Chennai, Tamil Nadu, India in the year 2004. Her research interest includes network and data security. She is doing her PhD in network security. She has 13 years of teaching experience in the eld of Computer Science and Engineering. Currently, she is working as an Assistant Professor in the Department of Computer Science and Engineering, Kongu Engineering College, Perundurai, Tamil Nadu, India. She has presented papers on her research area in national and international IEEE conferences and published research papers in International journals. A. Tamilarasi has obtained her PhD in Algebra in 1994 from the University of Madras, Chennai, Tamil Nadu. She was awarded JRF by UGC in the year 1986. Presently, she is working as a Professor in the Department of Computer Science and Engineering, Kongu Engineering College, Perundurai, Tamil Nadu, India. She has published about 30 papers in national and international journals and conferences. Her areas of interest include semi group theory, fuzzy sets and fuzzy logic. She has been guiding PhD and MPhil scholars and is also an approved guide of Anna University, Chennai, Tamil Nadu.
1 Introduction
Denial of Service (DoS) attack on the internet has become a serious issue as a result of a series of attacks in the recent past. The vulnerability of the internet to the DoS attacks has been brought to the notice of users by several security incidents on the websites like Yahoo, eBay, E*Trade etc. (Garber, 2000). A DoS attack is an explicit attempt by attackers who try to deny access to the authorised resources by the legitimate users. In DoS attacks, weakly protected systems are exploited to launch them. These attacks mimic requests from the valid users thereby pressurising the victim system to spend much time on these bogus packets. For example, requesting a
large le from the victim and causing computationally intensive operations on the victim are some ways of executing DoS attacks (Walsh et al., 2005). Simply increasing the victims resources would not be helpful to provide services to the legitimate users. In fact, it makes easier for the offenders to launch many more such attacks. More importantly, IP spoong, which is falsication of source IP address, is used in conjunction with DoS attacks to hinder the true origin of the attacks. Increasingly, the devastating effects of DoS attacks have attracted internet research community and led to the development of many anti-DoS measures, which are generally of two types (Peng et al., 2003). One type involves nding the source IP address of the attack trafc
S. Malliga and A. Tamilarasi (FMHCBP), that is capable of identifying a single attack packet and dropping it. Our idea uses the packets marked by the routers along the path to nd the attack trafc. The packets from a source address should carry the consistent, genuine markings in order to be classied as valid. These markings are used for detecting and ltering the attack packets. To account for the routers instability and congestion, we also add another detection parameter namely hop count value, obtained from the Time To Live (TTL) eld of the IP header. The mappings between the source IP addresses and markings along with the hop count values are used to determine the attack packets. For marking, we use the scheme addressed in Malliga and Tamilarasi (2008). Ideally, we would like to detect and lter the attack trafc near the place of origin. So, we deploy our scheme on intermediate routers partially. When a victim system is severely congested, it may send a backpressure message instructing the previous upstream router to probe and drop the packets. For probing, the upstream routers maintain tables that show the mapping of source IP addresses to the markings and to the hop count values at them. They use these tables to detect and drop the attack packets before they choke the victim. Backpressure does not necessitate the deployment of FMHCBP on all routers. For this purpose, partial deployment would sufce. The experimental results show that our system leads to less false negatives while maximising the throughput of the good trafc. We also demonstrate the power of backpressure technique for blocking the malicious trafc at upstream nodes. A wide range of tools for handling the DoS attacks is presented in Mirkovic (2002). These tools use the trafc proles for detecting the attacks. If found malicious, they raise any alarm, but they do not take any action against them, other than just dropping them to an extent. They do not attempt to drop them at the earliest. Though many existing defenses are suitable for nding the ooding DoS attacks, they are not t for small volume of the attack trafc. There are some systems that attempted to nd single attack packet, but they require a huge storage overhead on the intermediate routers. Even though FMHCBP incurs little processing overhead on the routers, which is unavoidable for a marking technique, it helps an administrator to distinguish the attack trafc from the legitimate by establishing a decision making system and extends its support to track down a single attack packet. To reduce the burden on the victim, the backpressure technique helps Internet Service Provider (ISP) to locate and drop the malicious trafc at earliest time. The remainder of the paper discusses our work in detail. Section 2 enumerates the design goals of an anti-DoS system. In Section 3, we review the schemes that are closely related to our system and their limitations. Section 4 gives an insight into the FMHCBP framework for identifying attack packets from the observed trafc. Section 5 discusses how backpressure technique can be used to protect a victim at the
using packet marking and Internet Control Message Protocol (ICMP) messages. The other type attempts to rate limit the attack trafc upon congestion. Packet marking techniques are based on the idea that routers mark packets that traverse through them. The marking may be Deterministic (DPM) or Probabilistic (PPM). In DPM, a router marks all the packets that pass through it. A DPM proposed in Ansari and Belenky (2003), allows an edge router to mark all the packets passing through it with the aim of reconstructing the ingress address of the router closest to the source. In PPM, the packets for marking are chosen with some xed probability. The victim, in spite of the source addresses being spoofed, can then reconstruct the actual path on receiving ample number of marked packets. Few PPM schemes are addressed in Anderson et al. (2001), Choi and Dai (2004), Perrig and Song (2001). The packet marking schemes would be useful for IP traceback, which is the name given to the process of identifying the real source of any trafc. When forwarding packets, routers can, with a low probability, generate a Traceback message that is sent along to the destination. With enough Traceback messages from enough routers along the path, the trafc source and path can be determined. The main idea behind the ICMP messaging (Bellovin, 2000) is that every router samples one of the forwarding packets with a low probability, copies the information about the adjacent routers into a special ICMP traceback message and forwards it to the destination. With enough ICMP messages from the routers along the path, the graph of attack path is determined. Rate limiting mechanisms impose a rate limit on the trafc that has been characterised either as malicious or as causing congestion at the routers and victim (Mittal, 2005). Congestion is, in turn, caused by aggregates (Mahajan et al., 2003), which is a collection of packets from one or more ows. These ows have some properties like source or destination address prexes in common. On identifying the high bandwidth aggregates of a ow, a rate limit is imposed on the ow thereby reducing its aggressiveness. Nevertheless, the rate limiting schemes are based on the assumption that there is tremendously a large volume of attack trafc along the path. While the early studies showed that DoS attacks are created by ooding the network with a huge volume of attack packets, there are other forms of network attacks, which may require small amount of attack ows. Even a single packet may be sufcient to create such attacks and paralyse the nodes. For instance, MS Windows has been crashed with Teardrop attack with just one packet (Microsoft Corporation, 2006). Hence it is essential to nd the single attack packet also. Kent et al. (2002) proposes a hash based technique that gathers trails of the network trafc by the process of logging to nd the origin of a packet. In our proposal, we address a new system called, Filtering on Marking and Hop Count with Backpressure
A backpressure technique for ltering spoofed trafc at upstream routers earliest. Our experimental platform and demonstration of the efcacy of FMHCBP, based on the simulation results, are presented in Section 6. Section 7 analyses the issues for the practical deployment of FMHCBP. Finally, in Section 8, we summarise our work and address problems that researchers need to tackle.
It is worth noting here that there are already many large scale DoS detection mechanisms. As discussed in the previous section, detecting a single packet DoS attack is also equally important. In addition to the above design goals, we attempt to propose a DoS detection and ltering system that has the granularity of detecting a single packet DoS attack also.
nodes at the edge network deploy DWARD (Mirkovic, 2002) to classify the trafc as attack or legitimate. The TCP connections that send high volume of trafc and receive no or less replies would be classied as malicious, whereas the connections that receive sufcient number of replies from the destination would be classied as legitimate. But if an attacker spoofs large replies then it would force DWARD to classify him as valid and in turn, would degrade the services to the legitimate requests. Local Aggregate based Congestion (ACC) (Mahajan et al., 2003) provides a solution that is employed at a router to detect and rate limit the trafc with high volume. The routers identify the high bandwidth aggregates that cause a majority of packet drops and impose rate limits on those aggregates. If a congested router cannot control the aggressiveness of the aggregates, then it sends a pushback signal to the upstream routers that carry the trafc of aggregates, thus leading to pushback ACC. A router receiving a pushback request decides whether to rate limit the aggregates or to propagate the requests to further upstreams. The propagation process of pushback signal is similar to the discovery of trafc tree in DefCOM (Mirkovic et al., 2005a). The pushback ACC would inict the legitimate trafc that share with the attack path. Specically, the attack trafc with less volume would not be imposed any rate limit thus meting out the victim. Lam et al. (2006) proposes a Coordinated Detection and Response (CDR) scheme which consists of detection and response agents that are distributed in stub and transit networks. This scheme employs two types of agents namely Stub Agents (SA) and Transit Agents (TA). The SAs are deployed at the border routers of the stub networks for detecting and responding to attack ows that originate from the networks. The TAs are deployed in transit networks to identify and lter the malicious ow. To detect the TCP rate anomaly, SAs use non-parametric CUmulative SUM (CUSUM) algorithm, which monitors the disproportionate ratio of the number of TCP packets having a destination IP address D to the number of TCP packets having the source address D. The TAs act upon the receipt of attack messages from the SAs. Peng et al. (2002) suggests a selective pushback technique which identies the congestion and then pushes back a signal to the routers closest to the source that create congestion. Untrustworthiness of the source address leads to the use of PPM for nding the upstream routers. The path reconstructed by the PPM is used to direct the pushback signal to the upstream routers and block the malicious trafc. During the normal condition, the victim collects and builds up a normal prole for the incoming trafc using the marks stamped in the packets by the routers. From the prole, the victim learns a distribution of number of packets from each router. During the congestion, the victim starts a temporary prole of the packets arriving from the routers. The rate of change in each router would then be used to detect the attacks and the pushback is initiated.
S. Malliga and A. Tamilarasi To let the packets from different hosts belonging to a network have different markings at a victim system, the edge router, which inserts the packets into the core network, uses a different way of marking. To do that, the edge router maintains a table that has a mapping of 48-bit Medium Access Control (MAC) or Hardware address of each host of the network to a unique number assigned to each of these addresses. MAC address is a unique identier assigned to a network interface card. When a packet arrives at the edge router, it stamps the unique number mapped to the MAC address of the sending host in the packet and forwards the packet. In order to reduce the processing overhead due to marking on intermediate routers, an edge router marks the packets with certain probability. All the other routers use modulo technique as described earlier to continue marking. An intermediate router chooses to mark a packet if it has been already marked by the edge router. This is understood using the ag bit as shown below. Flag (1 bit) Previous marking Number of interfaces of the router + Unique number assigned to the inbound interface (31 bits)
But the changes in routing would lead to unacceptable results. If offenders use the same path as valid requests, they may go undetected. To summarise, all the above systems would be useful for detecting a large scale DoS attacks, but not suitable for detecting DoS attacks caused by a single or few packets. Also, these schemes would fail, if an attacker spoofs the IP address of a host belonging to the same network where he resides.
Table 1 Packet classication procedure Marking Table Source IP address Contains Contains Contains Contains Not contains Not contains Not contains Marking Matches No matches No matches No matches Source IP address Exists Exists Not exists Exists Exists Not exists Hop Count Table Hop Count value Matches ( Mismatches Matches ( Mismatches some constant) ( some constant) some constant) ( some constant) Decision Accept Accept Drop Drop Accept Drop Accept
misclassication, a counter called, Mismatch score, is maintained for each IP address, which is incremented whenever a doubtful decision is taken, that is, when no match is found on the Marking and/or Hop Count Tables. Also, when a packet from an IP address that is not in both the tables arrives, it is accepted and the mismatch score for the IP is incremented. On exceeding the threshold, a simple verication process begins. The ICMP Echo request and response packets used for the verication are given in Table 2 with types and codes.
Table 2 ICMP messages for seeking genuineness Packet name Reqg Resg ICMP type 8 0 ICMP code 1 1 Description ICMP Echo request to seek genuineness ICMP Echo response to conrm genuineness
We follow the simple verication process adopted in Chen et al. (2008). For the source IP address whose
score exceeds the threshold, an entry is added to an Authentication list, which contains the details of the marking from the IP addresses, a counter to update the number of ICMP Echo messages sent and content of the echo request message. Subsequently, an ICMP Echo request packet is sent to the source IP and the counter is incremented. On receiving the echo response, the markings are veried and the tables are updated, if needed. Following this, the mismatch score is reset to 0. The entry corresponding to the IP in the Authentication list is purged, leaving space for further requests. If the victim gets no response for the echo request within Round Trip Time (RTT), then it resends the echo request and the counter for the IP is incremented in the Authentication list. When no response is seen for n requests, this means that the IP is not active and the entry is removed from the Authentication list. Further, all the packets from the IP address are dropped. The purpose of keeping the content of the echo message in the list is to prevent the imitation of the response by an attacker. It also helps to compare it with the content of the reply and ensure that the attacker has not forged the reply packets.
6 Simulation results
Through simulation experiments, we analyse and present the effectiveness of FMHCBP below.
The above table shows the values that we have come up with on the trial and error based experiments.
A backpressure technique for ltering spoofed trafc at upstream routers this comparison are presented in Table 4 in terms of acceptance and rejection ratio of the spoofed and randomised attack trafc by different approaches.
Table 4 Acceptance and rejection ratio of spoofed and randomised attack trafc Spoofed and randomised attack trafc Approaches FMHCBP (with prob. 0.3) ACC Selective pushback CDR DefCOM Acceptance ratio 0.21 0.62 0.72 0.43 0.68 Rejection ratio 0.79 0.38 0.28 0.57 0.32
to validate FMHCBP against the attack trafc, we have conducted a test using the attack trafc and observed the performance of our system and all the other systems taken for comparison. The attack trafc throughputs of various systems are depicted in Figures 36.
Figure 3 Attack trafc throughput for FMHCBP vs. Selective Pushback
As has been shown in the above table, FMHCBP allows comparatively fewer attack trafc than other closely related systems.
Providing a fair treatment to the good trafc alone would not make a system more effective. But, minimisation of the attack trafc throughput would also. So, in order
10
S. Malliga and A. Tamilarasi attempts to spoof more number of hosts within the same network.
Figure 8 False negative rate of various systems for 5 spoofed hosts
All these above gures clearly depict that FMHCBP provides less attack trafc throughput than that of other systems. Increasing the probability of marking at the routers can further reduce the attack trafc throughput.
7 Practical implementation: issues 6.3.3 False alarm rate 7.1 Partial deployment scenario
In order to make the system effective, we also need to keep false positives and negatives as low as possible. False positives occur if valid packets are classied as attack and dropped. Classifying attack packets as valid and allowing them can lead to false negatives. As discussed, almost all the systems treat the legitimate trafc alike; we here consider only false negatives. To determine the rate of false alarm for the attack packets (i.e.) false negatives, we have gradually increased the number of spoofed users and calculated the rate of attack trafc allowed into a victim for various schemes. Figures 7 and 8 show the false negative rate of various schemes for the increased number of spoofed hosts.
Figure 7 False negative rate of various systems for 3 spoofed hosts
It is clear from Figures 7 and 8 that FMHCBP raises lower false alarm than other systems even if attackers
This section investigates the performance of FMHCBP under the partial deployment scenario. The number of routers that participate in the detection and ltering process is important in partial deployment as we cannot demand all the routers to participate in this process. This would increase the overhead of the routers. Therefore, we have tested the different participation scenarios and presented two of them. As more packets from the same source address seem to be dropped, the victim sends a backpressure request to the upstream router as explained in Section 5. Now, the upstream router nds the genuine marking of the source host that would be at itself, from the backpressure request using equation (2). Using the marking, the upstream router probes the validity of the packets further from the host and drops them if necessary. Subsequently, we avoid the propagation of the attack trafc to the victim, thus relieving it from the burden of handling the attack trafc. Upon receiving a backpressure request, an upstream router starts the detection and ltering process. The router can even decide to propagate the request to further upstreams when it is congested. This depletes the congestion at the downstream routers. As the detection process is propagated to the upstream routers, the downstream routers become less burdened. This does not imply that all the routers must deploy our system. The routers that are close to the victim may employ as these systems witness more trafc than the routers that are close to the source hosts. In Figure 9, we present the amount of attack trafc that would propagate through the routers towards the victim. Figure 9 depicts that the attack trafc throughput at the victim would be less when the defensive system is
A backpressure technique for ltering spoofed trafc at upstream routers installed at the victim or closer to it. But this allows the attack trafc traverse through the links towards the victim. The earlier the defense, the lesser the trafc on the link towards the victim and at the victim.
Figure 9 Amount of trafc towards the victim using Backpressure technique
11
would change the hop count value at the victim, it would be very marginal. We consider this fact and allow the packet. This would provide fair treatment to the host by maximising its throughput, without dropping the packets from it. But, if the deviation of the hop count value is signicant, then FMHCBP tends to drop the legitimate trafc, thus punishing it. On the other hand, once the mismatch score for the host exceeds the threshold, an ICMP Echo request packet is sent to the host seeking for genuineness, as described earlier in the Subsection 4.2. Even though it seems that FMHCBP penalises the good ow, it is done only for few packets. After receiving the echo response for the reply packet, the packets are further allowed or dropped. Based on the response, the tables are appropriately updated.
7.3 Learning and size of the Marking and Hop Count Tables
Since the Marking and Hop Count Tables play a signicant role in distinguishing the packets as good or attack, they need to keep records of genuine values. We populate these tables by extensive simulation studies with no attacks. To account for instability in routing, we intentionally make some routers fail and nd the path taken by the packets to reach the destination. From this, we calculate the difference in hop count and use this as boundary for hop count values. The addition of new hosts, which are not seen during the learning period, is also allowed into these tables. The Hop Count Table has only 256 entries since TTL eld is of 8 bits. Each entry has a list of source IP addresses with a specic hop count value. The size of each entry is limited. To limit the growing of the entries in both tables, we x a size. Once they get lled, the oldest entry would be replaced by a new entry.
Obviously, if more nodes deploy FMHCBP, the scalability of the system is improved. This, in turn, would increase the processing and storage overhead on those nodes. But, even sparse deployment of FMHCBP would provide signicant benets to the network users as shown in Figure 9.
12
S. Malliga and A. Tamilarasi notication packets, a simple CSR can be used. As there is no wide deployment of Public Key Infrastructure and CRS requires a secret code needs to be known by both parties involved in the communication, a random number is generated by the party initiating the communication and sent to the recipient of the communication. This random number serves as a secret code. The steps involved in mutual authentication are described below. 1 The sending host (i.e.) the victim sends a challenge Vc to a receiver (i.e.) the nearest router which is supposed to block the packets. The router generates a challenge Rc and computes the response to the victim as Rr = hash (Rc, Vc, secret code). The router sends Rr and Rc to the victim. The victim calculates the expected value of Rr, compares it with actual Rr and ensures the authenticity of the router. The victim computes Vr = hash (Vc, Rc, secret code) and sends it to the router. The router calculates expected value of Vr, compares it with actual Vr and ensures the authenticity of the victim.
be sufcient to hold the marking information. We refer the readers to see Malliga and Tamilarasi (2008) the strategy adopted to address this. A comparison of the proposed marking scheme with other competing systems is also presented in this reference.
3 4
5 6
By means of this simple mutual authentication, the forging of packets by the attackers can be prevented. The mutual authentication between the intermediate routers can also be performed by the above mechanism. Also, to avoid faking the ICMP Echo reply and response packets, we plan to employ this simple authentication scheme. The current version of the proposed scheme has not used any mutual authentication between the systems involved in the communication. We plan to address this during further study.
13
References
Ali, K., Hassanein, H. and Zulkernine, M. (2007) Packet ltering based on source router marking and hop-count, The 32nd IEEE Conference on Local Computer Networks, Dublin, October, pp.10611068. Anderson, T., Karlin, A., Savage, S. and Wetherall, D. (2001) Practical network for IP Traceback, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, pp.226237. Ansari, N. and Belenky, A. (2003) IP traceback with deterministic packet marking, IEEE Communications Letter, Vol. 7, No. 4, pp.162164. Bellovin, S.M. (2000) ICMP Traceback Message, Internet Draft, Consulted in: March, http://tools.ietf.org/draft/ draft-bellovin-itrace/draft-bellovin-itrace-00.txt
Chen, Y., Das, S., Dhar, P., Saddik, A.E. and Nayak, A. (2008) Detecting and preventing IP-Spoofed distributed DoS attacks, International Journal of Network Security, Vol. 7, No. 1, pp. 7081. Choi, K.H. and Dai, H.K. (2004) A marking scheme using huffman codes for IP traceback, The 7th International Symposium on Parallel Architectures, Algorithms and Networks (SPAN04), Hong Kong, SAR, China, May, pp.421428. Garber, L. (2000) Denial of service attack rip in the internet, IEEE Computer, Vol. 33, No. 4, April, pp.1217. Jin, C., Shin, K.G., and Wang, H. (2007) Defense against spoofed IP trafc using Hop-count ltering, IEEE /ACM Transactions on Networking, Vol. 15, No. 1, pp.4053. Kent, S.T., Jones, C.E., Partridge, C., Sanchez, L.A., Schwartz, B., Snoren, A.C., Strayer, W.T. and Tchakountio, F. (2002) Single-packet IP traceback, IEEE/ACM Transactions on Networking, Vol. 10, No. 6, pp.721734. Lam, H., Li, C., Chanson, S.T. and Yeung, D. (2006) A coordinated detection and response scheme for distributed denial of service attacks, The IEEE International Conference on Communications (ICC06), Istanbul, June, Vol. 5, pp.21652170. Mahajan, R., Bellovin, S.M. and Floyd, S. (2003) Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, Vol. 32, No. 3, pp.6273. Malliga, S. and Tamilarasi, A. (2008) A proposal for new marking scheme with its performance evaluation for IP Traceback, WSEAS Transactions on Computer Research, Vol. 3, No. 4, pp.259272. Microsoft Corporation (2006) Stop 0A in tcpip.sys When Receiving Out of Band (OOB) Data, Consulted in: 31st October, http://support.microsoft.com/support/kb/ articles/Q143/4/78.asp Mirkovic, J. (2002) D-WARD: DDoS Network Attack Recognition and Defense, PhD Dissertation Prospectus, Computer Science Department, University of California, Los Angeles, January. Mirkovic, J., Robinson, M., Reiher, P. and Oiknomou, G. (2005a) Distributed Defense Against DDoS Attacks, Technical Report, Consulted in: www.cis.udel.edu/sunshine/publications/udel-tech-report2005-02.pdf Mirkovic, J. and Reiher, P. (2005b) D-WARD: a source-end defense against ooding denial of service attacks, IEEE Transactions on Dependable and Secure Computing, Vol. 2, No. 3, pp.216232. Mittal, P. (2005) Defense Against Distributed Denial of Service Attacks, A Seminar Report, IIT, April, Guwahati, India. National Laboratory for Applied Network Research (2005) NLANR Packet Traces, Consulted in: http://pma.nlanr. net/Traces/traces/long Network Simulator (2008) Consulted in: http://www.isi.edu/ nsnam/ns/ Peng, T., Leckie, C. and Ramamohanarao, K. (2002) Defending against distributed denial of service attacks using selective pushback, The Ninth IEEE International Conference on Telecommunication (ICT02), Beijing, China, pp.411429.
14
Peng, T., Leckie, C. and Ramamohanarao, K. (2003) Detecting reector attacks by sharing beliefs, The Global Telecommunications Conference (GLOBECOM03), December, San Francisco, Vol. 3, pp.13581362. Perrig, A. and Song, D.X. (2001) Advanced and authenticated marking scheme for IP Traceback, The 20th Annual Conference of IEEE Communications and Computer Societies (INFOCOM01), Alaska, April, Vol. 2, pp.878886. Protecting the Network from Denial of Service Attacks (2001) The Captus Networks TRaP Technology, Consulted in: http://comnet.technion.ac.il/projects/winter03/cn10w03/ PDF/TLIDSWhitePapers.pdf