Detection and defense against DDoS attack with IP spoofing

Distributed denial-of-service (DDoS) attacks are a significant problem because they are very hard to detect, there is no comprehensive solution and it can shut an organization off from the Internet. The primary goal of an attack is to deny the victim's access to a particular resource. DDoS is implemented using source IP address spoofing. This paper provides a framework for detecting the attack and dropping the spoofed packets. The legitimacy of a packet can be find out by analyzing the number of hops that packet gone through before reaching at the destination. Attacker can forge any field in the IP packet including TTL, but he cannot control hop count. By generating an IP to hop-count mapping table and inspecting it, spoofed packets can be identified. HCF (hop count filter) is used to classify legitimate and spoofed packets with little collateral damage. HCF causes delay in critical path of packet processing in the kernel because of enormous IP2HC mapping table. This overhead is reduced by identifying the attackers in learning state and then drop spoofed packets in filtering state. The CPU overhead can be reduced by implementing it in Linux kernel in terms of interrupts.