Distributed Hop Count Filtering and Round Trip Time Technique to

combat IP spoofing based Distributed Denial of Service (DDoS) Attacks

Ritu Maheshwari
PG Scholar
Department of Computer Science
& Engineering,
National Institute of Technical
Teachers Training and Research,
Chandigarh, India
Email:ritu.nitttr@gmail.com

Dr. C. Rama Krishna

Associate Professor
Department of Computer Science &
Engineering,
National Institute of Technical Teachers
Training and Research,
Chandigarh, India
Email: rkc_98@hotmail.com

Abstract Distributed Denial of Service (DDoS) has become major threat to internet communication world causing
disruption of services. A DDoS attack is a DoS attack which relies on multiple compromised hosts in the network to attack the
victim, thereby, bringing down its performance. DDoS attacks degrade services to legitimate users by blocking
communication and/or computational resources of the target. Its effects are characterized by the uninformed delays and
interruptions accompanied by undue losses. A number of mitigation techniques have been proposed in the literature by
various researchers. They enable us to distinguish between legitimate and illegitimate traffic and accordingly either drop or
detect the unwanted packets. Generally, attackers launch DDoS attacks by directing a massive number of attack sources to
send useless traffic to the victim. Majority of DDoS attack tools utilize IP Spoofing technology that makes it very difficult to
filter illegitimate packets from aggregated traffic as IP addresses can be forged easily. This paper proposes a new mitigation
technique DPHCF-RTT to minimize IP spoofing attacks.
Keywords DDoS, TTL, Round Trip Time (RTT), filtering techniques, Hop Count, Hop Count Filtering (HCF), defense
mechanisms, mitigation techniques, probabilistic packet filtering, DPHCF-RTT

I.

INTRODUCTION

A Denial of Service (DoS) attack can be characterized as an attack with the purpose of preventing legitimate users from
using a victim servers or network resources. DDoS attack can be performed at network level, operating system level and
application level. Even the most popular Websites like Twitter, Facebook, Google etc couldnt escape from being hit by it,
which caused millions of their users affected [20].
In DDoS attack, attacker fills the networks bandwidth with large amount of request packets, thus consuming the
bandwidth. In order to launch a DDoS attack, the attacker first scan millions of machines for vulnerable service and other
weakness, then gain access and compromise these zombies or slave machines. These infected machines can recruit
more zombies. When the assault starts, the real attacker hides the identity and sends orders to zombies to perform the
attacks. A DDoS attack is exemplified as a comprehensive and synchronized attack, initiated by a group of negotiated
hosts upon a victim network resource.
The most eye opener case was the DDoS incident that targeted White house, Federal Trade Commission and the
Department of the Treasury. A Botnet, comprised of 30,00060,000 infected computers, had been used. The attack traffic
consumed 20-40 GBs of bandwidth/second. It was the largest attack traffic observed. Such attack caused target outage
for 4-5 days which was the longest outage duration ever.
According to the CIAC (Computer Incident Advisory Capability), the first reported large-scale DDoS attack occurred in
August, 1999, against a university. This attack shut down the victims network for more than two days. In February 7,
2000, several websites were attacked including Yahoo.com, which caused them to go offline for several hours, more than
10,000 online servers in games such as Return to Castle Wolfenstein, Halo, Counter- Strike and many others were also
attacked [34]. As per Moore et al. [35] in some cases these DDoS attacks were able to produce about 1 Gbit/s of attack
traffic against a single victim.
In January 2001, Register.com was targeted, DNS servers were used as reflector in that attack [36]. On two occasions to
date, attackers have performed DNS Backbone DDoS Attacks on the DNS root servers. The first occurred in October
2002 and disrupted service at 9 of the 13 root servers [4]. The second occurred in February 2007 and caused disruptions

at two of the root servers [37], [40]. In January 2004, MyDoom attacked 1 million computers. The backscatter analysis
was used to assess the number, duration, and focus of DDoS attacks in the Internet [38].
In this paper section II presents DDoS attacks and its architecture, section III presents DDoS defense mechanisms and
its mitigation techniques, section IV presents related work, section V presents proposed techniques and lastly
conclusions.
II.

DDOS ATTACKS AND ITS ARCHITECTURE

During attacks, the services of the network are intentionally blocked by the attacker. These attacks make the network
resources unavailable to the users [5]. Attack Pattern is a process of identifying attackers view, gives the information
about the type of attack, prerequisites of an attack, weakness of attack, the knowledge required to perform an attack and
all the information about the attack that had been happened in the network [1].
Two main classes of DDoS attacks are: bandwidth depletion and resource depletion attacks [9] as shown in Fig. 1. A
bandwidth depletion attack fills the victim network with unwanted traffic that prevents legitimate traffic from reaching the
victim system. A resource depletion attack ties up the resources of a victim system [2]. Two major impacts of bandwidth
attacks are: consumption of the host's resources and consumption of the network bandwidth, which is more threatening
than the first [12].
DDoS Attacks

Bandwidth Depletion
Flood Attack
UDP

ICMP

Resource Depletion
Protocol Exploit
Attack
TCP SYN

Amplification
Attack
SMURF

FRAGGLE

PUSHACK

Malformed
Packet Attack
IP Packet
Option

IP
Address

FIG. 1 TAXONOMY OF DDoS ATTACKS

Bandwidth Depletion attacks
A flood attack involves the zombies sending large volumes of traffic to a victim system, to congest the victim systems
bandwidth [9]. An amplification attack involves either the attacker or the zombies sending messages to a broadcast IP
address, using this to cause all systems in the subnet reached by the broadcast address to send a message to the victim
system. This method amplifies malicious traffic that reduces the victim systems bandwidth.
Flood Attacks: In a UDP Flood attack, a large number of UDP packets are sent by the attacker to either random or
specified ports on the victim system [2]. Due to this, there is saturation of the network and the depletion of available
bandwidth for legitimate service requests to the victim system [15]. ICMP Flood attacks exploit the Internet Control
Message Protocol (ICMP), which enables users to send an echo packet to a remote host to check whether its alive [10].
A DDoS ICMP flood attack occurs when the zombies send large volumes of ICMP_ECHO_REPLY packets to the victim
system [9].
Amplification Attacks: A DDoS amplification attack is aimed at using the broadcast IP address to amplify and reflect the
attack traffic, and thus reduce the victim systems bandwidth [2]. For this type of DDoS attack, the attacker can send the

broadcast message directly, or the attacker can use the agents to send the broadcast message to increase the volume of
attacking traffic [9]. In this attack, the broadcast IP address is used
Resource Depletion Attacks
DDoS resource depletion attacks involve the attacker sending packets that misuse network protocol communications or
sending malformed packets that tie up network resources so that none are left for legitimate users [9].
Protocol Exploit Attacks: The Transmission Control Protocol (TCP) includes a full handshake between sender and
receiver, before data packets are sent. In a DDoS TCP SYN attack, the attacker instructs the zombies to send bogus
TCP SYN requests to a victim server in order to tie up the servers processor resources, and hence prevent the server
from responding to legitimate requests [2]. The PUSH + ACK attack is similar to a TCP SYN attack in that its goal is to
deplete the resources of the victim system. In a PUSH + ACK attack, the attacking agents send TCP packets with the
PUSH and ACK bits set to one [9].
Malformed Packet Attacks: It is an attack where the attacker instructs the zombies to send incorrectly formed IP packets
to the victim system in order to crash the victim system. In an IP address attack, the packet contains the same source and
destination IP addresses [9]. This can confuse the operating system of the victim system and cause the victim system to
crash. In an IP packet options attack, a malformed packet may randomize the optional fields within an IP packet and set
all quality of service bits to one so that the victim system must use additional processing time to analyze the traffic.
Two types of DDoS attack networks have emerged as shown in Fig. 2. These are the Agent-Handler model and the
Internet Relay Chat (IRC)-based model.
DDoS Attack Networks
Agent handler

IRC Based

Client handler
Communication

Secret/ Private
Channel

Agent handler
Communication

Public Channel

TCP

UDP

ICMP

FIG. 2: A TYPICAL SCENARIO OF DDoS ATTACKS

DDoS Agent Handler Attack Model: DDoS Agent-Handler attack network consists of clients, handlers, and agents. The
client is where the attacker communicates with the rest of the DDoS attack system. The handlers are software packages
located throughout the Internet that the attackers client uses to communicate with the agents [22]. In descriptions of
DDoS tools, the terms handler and agents are sometimes replaced with master and daemons, respectively [8].
DDoS IRC-based Attack Model: It is similar to the Agent-Handler model except that instead of using a handler program
installed on a network server, an Internet Relay Chat (IRC) communication channel is used to connect the client to the
agents. An IRC channel provides an attacker with additional benefits such as the use of legitimate IRC ports for sending
commands to the agents. This makes tracking the DDoS command packets more difficult. Additionally, IRC servers tend
to have large volumes of traffic making it easier for the attacker to hide his presence from a network administrator. In both
IRC-based and Agent Handler DDoS attack models, the agents are referred as secondary victims or zombies and the
target of the DDoS attack is referred as the primary victim [9]. IRC is a multi-user, on-line chatting system. It allows
computer users to create two-party or multi-party interconnections and type messages in real time to each other [22].
III.

DDOS DEFENSE MECHANISMS AND MITIGATION TECHNIQUES

There are three essential components to DDoS countermeasures [3]. There is the component for preventing the DDoS
attack which includes preventing secondary victims and detecting and neutralizing handlers. There is the component for
dealing with a DDoS attack while it is in progress, including detecting or preventing the attack, mitigating or stopping the
attack, and deflecting the attack. Lastly, there is the post-attack component which involves network forensics. Based on
the underlying strategies, we can categorize current DDoS detection and defense approaches into three categories:
Proactive Mechanisms, Reactive Mechanisms and Post Attack Analysis [11].
Pro-Active or Preventive defense mechanisms:
Instead of detecting the attacks by using signatures (attack pattern) or anomaly behavior, these approaches try to improve
the reliability of the global Internet infrastructure by adding extra functionality to Internet components to prevent attacks
and vulnerability exploitation. Preventive mechanisms refer to the actions performed prior to an attack either to eliminate
the possibility of being a target of attacks or to aid the target to endure the effects of attacks sufficiently. Several
preventive countermeasures are [11]:
Planning a proper risk management strategy is a matter of preparing for attacks, determining what should be protected,
how and at what cost. It is a plan of procedures that guides the responses to various attacks and the recovery of possible
damages. It should estimate the effects different types of attack scenarios might have from business level issues to
technical level details.
Load balancing is a term referring to key services being distributed to multiple locations. Thus, in case an attack is
primarily engaged against a certain server or servers, the other servers may still be able to operate sufficiently. Acquiring
abundance of bandwidth is probably the most expensive, but perhaps the only feasible solution even in extreme
conditions. The aim is to acquire as much of bandwidth and other resources to retain operability even in case of a
powerful attack.
Filtering of all unnecessary traffic is a method addressing the problem in the most primal point of view. Filtering of all
unnecessary traffic is a precaution for protecting own host or hosts from being compromised and perhaps consequently
used in DDoS.
Reactive defense mechanisms:
If the IDS system can detect the DDoS attack packets accurately, filtering mechanism are used, which can filter out the
attack stream completely, even at the source network. If the IDS cannot detect the attack stream accurately, rate limiting
is used. Reactive mechanisms refer to the actions performed to mitigate the effects of one or more ongoing attacks and
they consist of detection and response procedures. The most important methods of this class are briefly discussed in this
paragraph.
Detection is the process of determining is the target under an attack; an attack must first be detected in order to level an
appropriate defensive response.
Response is the process of reaction after the detection procedure has verified that there is an attack in progress. The
majority of responsive methods include traffic filtering in some form.
Post attack analysis or Post-Active methods:
The purpose of post attack analysis is to either look for attack patterns that will be used by IDS or identify attackers using
packet tracing. The goal of packet tracing is to trace Internet traffic back to the true source. Post-active methods refer to
the actions performed after an attack has occurred attempting to mitigate the threat of DDoS in the future.
Mitigation is the process to minimize the effect of an ongoing attack. The simplest and easiest method to perform this is
to drop the packets belonging to the attacker [5]. But the basic problem with this strategy is to distinguish between
legitimate or illegitimate client.
1
Pushback [42] enables routers to identify high bandwidth aggregates that contribute to congestion rate limit them. If the
congested router cannot control the aggregate itself, it requests its upstream neighbours help in rate limiting. The
performance of Pushback is good when attackers are collocated on a path separate from the legitimate traffic, otherwise it
inflicts collateral damage. Further, Pushback cannot work in non-contiguous deployment and cannot detect attacks that
do not congest core routers [18]. By pushing the defense frontier towards attack sources, more legitimate traffic can be
protected.

An improved version of this pushback scheme called Selective pushback [14] sends pushback messages to the routers
closest to the attack sources directly by analyzing the traffic distribution change of all upstream routers at the target. The
benefit of this scheme is twofold. First, traffic distribution analysis can locate attack sources more accurately than purely
volume-based approaches. Second, the pushback message can be sent to the routers closest to the attack sources
directly, which can mitigate the attack damage more quickly than the original pushback scheme. But still accuracy of
detection and deployment across multiple ISP domains remain big issues.
Active Security System (ASSYST) [10] supports distributed response with non-contiguous deployment, with nodes
equivalent to classifiers being deployed only at edge networks. COSSACK [7] similarly forms a multicast group of defense
nodes that are deployed at source and victim networks and cooperate in filtering the attack.
Yau et al. [17] propose a router throttle mechanism installed at the routers that are close to the victim. This defense
system incorporates only victim end and core defense mechanisms, and thus inflicts collateral damage to legitimate
traffic. A proactive approach is followed in the sense that before aggressive packets can converge to overwhelm a server,
routers along forwarding paths, regulate the contributing packet rates to more moderate levels.
DefCOM [33] provides added functionality to existing defenses so they can collaborate in DDoS detection and response
though a dynamically-built overlay. There are three types of DefCOM functionalities that are added to existing routers or
defense nodes. A single physical node can host more functionality at a time. The functionalities are: (1) A classifier
functionality is added to existing defenses that is capable of differentiating the legitimate from the attack traffic. A classifier
marks packets recognized as legitimate with a HIGH-priority mark that guarantees priority handling by downstream
DefCOM nodes. (2) A rate-limiter functionality is deployed by routers. During an attack, a rate limiter runs a weighted fair
share algorithm (WFSA) to prioritize traffic it forwards to the victim, and it rate limits this traffic to preserve victims
resources. (3) An alert generator functionality is added to defenses that can detect a DoS attack. An alert generator
propagates the attack alert to other DefCOM nodes using the overlay. The alert contains the IP address of the attacks
victim and specifies a desired rate limit, e.g., the size of the victims bottleneck link. Extra infrastructure for overlay and
cooperation at all points of the Internet are big concerns. Collateral damage depends upon accuracy of classifier.
ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and enhanced
performance [21].
In SIFF, all network traffic is separated into privileged and unprivileged packets, with the goal of protecting privileged
packets from unprivileged packet flooding, and allowing packet receivers to selectively terminate individual privileged
flows and have their packets be dropped deep in the network, before arriving near the victim [26].
IV.

RELATED WORK

PACKET FILTERING TECHNIQUES AND

HOP COUNT FILTERING
Packet filtering is controlling access to a network by analyzing the incoming and outgoing packets and letting them pass
or halting them based on the IP address of the source and destination. Packet filtering is both a tool and a technique that
is a basic building block of network security [8]. The packet filter examines the header of the packet and makes a
determination of whether to pass or reject the packet based upon the contents of the header.
Probabilistic approach is the most widely used technique for uncertainty analysis of mathematical models [32]. In the
probabilistic approach, uncertainties are characterized by the probabilities associated with events. The probability of an
event can be interpreted in terms of the frequency of occurrence of that event. When a large number of samples or
experiments are considered, the probability of an event is defined as the ratio of the number of times the event occurs to
the total number of samples or experiments. A probability of 0 for an event means that the event will never occur, and a
probability of 1 indicates that the event will always occur.
Filtering Techniques [7]:
1Ingress/Egress filtering: Ingress Filtering, proposed by Ferguson et al. [41], is a restrictive mechanism to drop traffic
with IP addresses that do not match a domain prefix connected to the ingress router. Egress filtering is an outbound filter,
which ensures that only assigned or allocated IP address space leaves the network. Unfortunately, this technique cannot
operate effectively in real networks where asymmetric Internet routes are not uncommon. Both ingress and egress

filtering provide some opportunities to throttle the attack power of DDoS attacks. However, it is difficult to deploy
ingress/egress filtering universally.
Router based packet filtering: Route based filtering, proposed by Park and Lee [39], extends ingress filtering and uses
the route information to filter out spoofed IP packets. It is based on the principle that for each link in the core of the
Internet, there is only a limited set of source addresses from which traffic on the link could have originated.
1History based IP filtering: This scheme is robust, and does not need the cooperation of the whole Internet community
[13]. However, history based packet filtering scheme is ineffective when the attacks come from real IP addresses. In
addition, it requires an offline database to keep track of IP addresses. Therefore, Cost of storage and information sharing
is very high.
1
Capability based method: In this approach, source first sends request packets to its destination. Router marks are
added to request packet while passing through the router. The destination may or may not grant permission to the source
to send. The data packets carrying the capabilities are then send to the destination via router. The main advantage is that
the destination can now control the traffic according to its own policy, thereby reducing the chances of DDoS attack [16].
Secure overlay Service (SOS): SOS secures the communication between the confirmed users and the victim. All the
traffic from a source point is verified by a secure overlay access point (SOAP). Authenticated traffic will be routed to a
special overlay node called a beacon in an anonymous manner by consistent hash mapping. SOS addresses the problem
of how to guarantee the communication between legitimate users and a victim during DoS attacks [28].
1
SAVE: Source Address Validity Enforcement: Li et al. [43] have proposed a new protocol called the Source Address
Validity Enforcement (SAVE) protocol, which enables routers to update the information of expected source IP addresses
on each link and block any IP packet with an unexpected source IP address. The aim of the SAVE protocol is to provide
routers with information about the range of source IP addresses that should be expected at each interface.
Hop Count Filtering (HCF): Hop Count (HC) is defined as the number of hops a packet traverses as it moves from the
sender to the receiver [30]. HC is not usually sent in the IP packet but is rather inferred from the IP Time-to-Live Field
(TTL). The main function of IP TTL field is to prevent packets from looping forever. The sender sets the initial value of
TTL. Each node on the path decrements the TTL value by one. If the TTL reaches zero, the packet is discarded. The
receiver can estimate the HC by subtracting the received TTL value from the closest initial TTL value bigger than the
received packets TTL. Usually, these initial TTL values are operating system dependent and are limited to few
possibilities which include 30, 32, 60, 64, 128, and 255 [23]. Therefore, guessing the initial TTL set by the OS is possible
without explicitly knowing what the OS is. It can even be used to prevent Distributed Denial of Service attacks [23][19][27]
[25].
Principle working of this method is that number of hops between the source and destination can be used to assess the
authenticity of packet [29]. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops
an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot
randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily
infer the hop-count information from the Time-to-Live field of the IP header [24]. Using a mapping between IP addresses
and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones.
Since hop-count values have a limited range, typically between 1 and 30, multiple IP addresses may have the same hopcount values. Consequently, HCF cannot recognize forged packets whose source IP addresses has the same hop-count
value to a destination as that of a zombie. A good hop-count distribution should have two properties: being symmetric
around the mean value, and being reasonably diverse over the entire range. Symmetry is needed to take advantage of
the full range of hop-count values, and diversity helps maximize the effectiveness of HCF.
Ayman Mukaddam et al. [31] proposed the utilization of both Round Trip Time (RTT) and Hop Count to detect IP
Spoofing. RTT is the difference in time between the time a packet is sent and the times is corresponding reply is received.
This is a cumbersome technique when packets transmitted are lost in the network and are to be re-transmitted. RTT is
influenced by the distance between the sender and the receiver, link bandwidth and the queuing behaviour of the nodes.
This technique tries to eliminate the weakness of the HCF technique and relies both on HCF and RTT technique instead
of only on HCF. Now the attackers have to guess both Hop Count and RTT for the spoofed packet to be considered
legitimate. Since, these variables are independent, the probability of guessing both the parameters correctly is lower than

the probability of guessing only Hop Count correctly. Also, both parameters cannot be spoofed easily as they are path and
load dependent.
Xia Wang et al. [19] focussed on the elimination of the execution caused by the DDoS Attack and tracking its attack
source. They have used filters at the intermediate node on the basis of some fixed Hop Count threshold. So, by using the
variation of Hop Count Filtering technique, they are not protecting the end systems only but the whole network is
protected from traffic congestion.
Krishna Kumar et al. [27] proposed to detect IP spoofing by checking both the Hop Count and the path Identification (PID)
at every router. The PID is inserted in each IP Packet in the identification field. If both the Hop Count and the PID match,
then the packet is considered legitimate otherwise, the routers start attack detection process. The algorithm requires a
shared key between every pair of adjacent routers.
B.R. Swain et al. [32] proposed a probability based HCF technique over conventional HCF Technique resulting in the
saving of Computational Time. Usually, in conventional HCF 90% of erroneous packets are dropped [23] but in their case,
80% to 85% of packets will be dropped with the reduction in memory overhead. Unlike the HCF technique that checks
every packet for its legitimacy, they check the packets till they reach n malicious packets. After that m packets are allowed
unchecked. Their packet analysis is based on probability of packet arrival p, number of malicious packets n and number
of legitimate packets m.
Haining Wang et al. [23] proposed HCF to remove IP packets at the very start of network processing. He considered two
HCF States in his work which are learning state and filtering State. HCF works in learning state under normal
conditions and watch for abnormal TTL behaviours without discarding any packets. After detecting an attack, mechanism
switches to filtering State to discard IP packets with mismatched Hop Counts. This HCF technique has been used at the
victim side. HCF is an important technique to remove the randomly spoofed IP traffic or random IP Spoofing. But, attacker
may also find the effective way by creating an effective IP2HC table to overcome HCF.

V.

PROPOSED TECHNIQUE

We have proposed Distributed Probability based Hop Count Filtering using Round Trip Time (DPHCF-RTT) technique.
It improves the detection rate of malicious or illegitimate packets and minimizes the computational Time. Proposed
DPHCF-RTT has been implemented in Matlab 7. We have taken a set of arrival rate of packets per second
and the
probability values of packets being malicious as follows:
= {10000, 15000, 20000, 25000, 30000, 35000, 40000).
p = {0.7, 0.6, 0.5, 0.4, 0.5, 0.6, 0.7}.
The total number of malicious and non-malicious packets M i.e. (m+n) will be

* 10). The Poisson distribution is then

calculated for all these seven values as product of arrival rate of packets and probability values p which will be used to
calculate the Total Cumulative Distribution Function (TCDF). The maximum value of TCDF value will give the calculation
of total number of probability based expected malicious packets n in total packets sent. The number of malicious packets
detected is given by Count. The value of Count is approaching towards the probability based total malicious packets
given by n. Total malicious packets m, so introduced, are lesser than n. The flood_length value is given by
* p).

Algorithm: DPHCF-RTT
For given , ,

Set total_packets for ;

Calculate flood_length of malicious packets;
Calculate n of malicious packets;
Set RTT value;
Initialize the Count to 0 for intermediate hops;

Set no. of hops = hop;

For no. of hops = 1: hop:
For Each Packet i:
If (Count n)
Extract the final TTL T and IP Address I;
Infer the initial TTL To;
Compute the Hop Count Hc = T- To;
Index I to get the stored Hop-Count Hs;
If ((hc = hs) and RTT value is valid)
Packet is Legitimate;
Else If ((hc hs) or RTT value is invalid)
Packet is Spoofed;
End if;
If (Packet = Spoofed)
Count++;
Drop the Packet;
Else
Allow the Packet;
End If;
End If;
End For;
total_packets = (total_packets n);
If (total_packets 0)
next_hop Count=Count + next_hop Count;
Set total_packets to n;
End For;
Compute final Count;
Calculate detection_rate for malicious packets;
Calculate computation_time for malicious packets;
End For;
RTT is the difference in time between the time a packet is sent and the times is corresponding reply is received. RTT is
influenced by the distance between the sender and the receiver, link bandwidth and the queuing behaviour of the nodes.
The utilization of both RTT and probability based distributed HCF to detect IP Spoofing will eliminate the weakness of the
HCF technique. Now the attackers have to guess both RTT and the Hop Count values at all the intermediate nodes for
the spoofed packet to be considered legitimate. Since, these variables are independent; the probability of guessing both
the parameters correctly is lower than the probability of guessing only Hop Count correctly.
In DPHCF-RTT technique, the probable numbers of malicious or spoofed IP packets have been calculated using Poisson
distribution. Probability based hop count filtering technique has been applied at the intermediate nodes sequentially in
combination with RTT. DHCF filtered legitimate packets have been sent to the server and the illegitimate packets are
discarded. Remaining unchecked packets due to probability are tagged and sent to the next intermediate node
repeatedly, until all packets get checked for illegitimacy.
VI. CONCLUSIONS
A number of mitigation techniques have been proposed in the literature by various researchers. They enable us to
distinguish between legitimate and illegitimate traffic and accordingly either drop or detect the unwanted packets. HCF
Technique is used to fight against IP spoofing. This technique, which is used to filter the malicious packets from the total
number of packets possess certain limitations pertaining to computational time, detection rate of illegitimate packets while
processing.
Proposed DPHCF-RTT technique has reduced the chance of random IP spoofing of packets correctly and effectively to
prevent the victim server from such attacks. It has improved the detection rate of the malicious or illegitimate packets up
to 99% which is 80-85% for Probability based HCF approach and 90% for Conventional HCF approach. It has also shown
the reduction in the computation time for illegitimate packet filtering through DPHCF-RTT at intermediate routers.

It will ultimately prevent the victim server from the IP Spoofing based DDoS attacks correctly and effectively. It will also
minimize the wastage of CPU cycles by reducing the computation time for illegitimate packet filtering.

REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]

A. Madhuri, A. Ramana Lakshmi, Attack Patterns for Detecting and Preventing DDoS and Replay Attacks, International Journal of Engineering
and Technology, vol. 2 (9), pp. 4850-4859, 2010.
G. Zhang and M. Parashar, Cooperative Defence against DDoS Attacks, Journal of Research and Practices in IT, vol. 38 (1), pp. 69-84,
February 2006.
R. Kumar, R. Karanam, R. Bobba, S. Raghunath, DDoS Defense Mechanism, IEEE International Conference on Future Networks, VIT
University, Vellore, India, pp. 254-257, 2009.
M. Sachdeva, G. Singh, K. Kumar, K. Singh, DDoS incidents and their Impact: A Review, The International Arab Journal of Information
Technology, vol. 7 (1), pp. 14-22, January, 2010.
Dhwani Garg, DDOS Mitigation Techniques-A Survey, International Conference on Advance Computing in Communication and Networks, pp.
1302-1309, 2011
S. Specht, R. Lee, Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures, Technical Report CE-L2003-03, pp.164,
May 2003.
B.B. Gupta, R.C. Joshi, M. Mishra, Distributed Denial of Service Prevention Techniques, IEEE International Journal of Computer and Electrical
Engineering, vol. 2 (2), pp. 269-276, April, 2010.
Dan Strom, The Packet Filter: A Basic Network Security Tool, Global Information Assurance Certification Paper, 2002.
Simon Liu, Surviving Distributed Denial-of-Service Attacks, IEEE Journal on IT Professional, vol. 11 (5), pp. 51-53, 2009.
R. K. Chang, Defending against flooding-based DDoS attacks: A tutorial, IEEE Communications Magazine, vol. 40 (10), pp. 42-51, October
2002.
L. Garber, Denial-of-Service attack rip the Internet, IEEE Journal on Computer, vol. 33 (4), pp. 12-17, 2000.
J. Molsa, Mitigating denial of service attacks: A tutorial, Journal on Computer Security, vol. 13, pp. 807-837, 2005.
T. Peng, C. Leckie, K. Ramamohanarao, Protection from Distributed Denial of Service attack using history-based IP filtering, IEEE International
Conference on Communications, vol. 1, pp. 482-486, 2003.
T. Peng, C. Leckie, K. Ramamohanarao, Defending against distributed denial of service attack using selective pushback, 9th IEEE
International Conference on Telecommunications, pp. 411-429, 2009.
Misha Singhal, Design and Development of Anti-DoS/ DDoS Attacks Framework using IP/tables, Thapar university, Patiala, Masters Thesis,
June 2011.
T. Anderson, T. Roscoe, D. Wetherall, Preventing Internet Denial-of-Service with Capabilities, SIGCOMM Conference on Computer
Communication Review, ACM vol. 34 (1), pp. 39-44, January, 2004.
D.K.Y. Yau, J.C.S. Lui, F. Liang, Y. Yam, Defending against distributed denial of service attacks with Max-Min fair server-centric router throttles,
10th IEEE International Workshop on Quality of Service, Purdue University, USA, pp. 35-44, 2002.
M. Sachdeva, G. Singh, K. Kumar, and K. Singh, A comprehensive survey of distributed defense techniques against DDoS attacks,
International Journal of Computer Science and Network Security, vol. 9 (12), pp. 7-15, December, 2009.
A Wang, Xia, Li Ming, Li Muhai, "A scheme of distributed hop-count filtering of traffic," International Communication Conference on Wireless
Mobile and Computing, pp. 516-521, 7-9 Dec.2009.
K. Arora, K. Kumar, M. Sachdeva, Impact Analysis of Recent DDoS Attacks, International Journal on Computer Science and Engineering, vol.
3 (2), pp. 877-884, February 2011.
Paulo E. Ayres, Huizhong Sun, H. Jonathan Chao, ALPi: A DDoS Defense System for High-Speed Networks, IEEE Journal on Selected Areas
in Communications, vol. 24 (10), pp. 1864-1876, October 2006.
S. M. Specht, R. B. Lee, Distributed denial of service: taxonomies of attacks, tools and countermeasures," ACM 17th International Conference
on Parallel and Distributed Computing Systems, pp. 543-550, September, 2004.
H. Wang, C.Jin and K. Shang, Defense Against Spoofed IP Traffic Using Hop-Count Filtering, IEEE Transaction on Networking, vol. 15 (1), pp.
40-53, February, 2007.
Fengli Zhang, Jig eng, Zinguang Qin, Mingtian Zhou, Detecting the DDoS Attacks Based on SYN proxy and Hop-Count Filter, IEEE
International Conference on Communications, Circuits and Systems, University of Electronic Science and Technology, China, pp. 457-461, 1113, July, 2007.
I. B. Mopari, S.G. Pukale, M.L. Dhore, "Detection and defense against DDoS attack with IP spoofing," IEEE International Conference on
Computing, Communication and Networking, Vishwakarma Institute of Technology, Pune, India, pp. 1-5, 18-20, December, 2008.
A. Yaar, A. Perrig, D. Song, SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks, IEEE Symposium on Security and Privacy,
Carneggie Melon University, Pittsburgh, USA, pp. 130-143, 9-12, May 2004.
B. Krishna Kumar, P.K. Kumar, R. Sukanesh, "Hop Count Based Packet Processing Approach to Counter DDoS Attacks," International
Conference on Recent Trends in Information, Telecommunication and Computing, PET Engineering College, Thirunelvelli, India, pp. 271-273,
12-13, March, 2010.
A. D. Keromytis, V. Misra, D. Rubenstein, Secure Overlay Services (SOS): A Critical Analysis, 2 nd IEEE International Conference on Parallel,
Distributed and Grid Computing, pp. 457-462, 2012.
Cheng Jin, Haining Wang, Kang G. Shin, Hop-count filtering: an effective defense against spoofed traffic, 2003, [Online]. Available:
http://www.citeseerx.ist.psu.edu
Ayman Mukaddam, Imad H. Elhajj, Hop count variability, 6 th IEEE International Conference on Internet Technology and Secured Transactions,
American University of Beirut, Lebanon, pp. 240-244, 11-14, December , 2011.
Ayman Mukaddam, Imad H. Elhajj, Round Trip Time to Improve Hop Count Filtering, IEEE Symposium on Broadband Networks and Fast
Internet, American University of Beirut, Lebanon, pp. 66-72, 28-29, May, 2012.
Biswa Ranjan Swain, Bibhudatta Sahoo, Mitigating DDoS attack and Saving Computational Time using a Probabilistic approach and HCF
method, IEEE International Conference on Advance Computing, NIT, Rourkela, India, pp. 1170-1172, 6-7, March 2009.
G. Oikonomou, J. Mirkovic, P. Reiher, M. Robinson, A Framework for a Collaborative DDoS Defense, 22nd IEEE Annual Conference on
Computer Security Applications, delaware University, Newark, pp. 33-42, December, 2006.

[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
[42]
[43]

P. S. Mann, D. Kumar, Improving Network Performance and mitigate DDoS attacks using Analytical Approach under Collaborative Software as
a Service (SaaS) Cloud Computing Environment, International Journal of Computer Science and Technology, vol. 2(1), pp. 119-122, March,
2011.
D. Moore, C. Shannon, D. Brown, G. Voelker, S. Savage, Inferring Internet Denial of Service Activity, ACM Transaction on Computer Systems,
New York, USA, vol. 24 (2), pp. 115-139, 2006.
D. Dittrich, The Tribe Flood Network Distributed Denial of Service Attack Tool, 2007, [Online]. Available: http://
staff.washington.edu/dittrich/misc/trinoo.analysis.txt.
C. Douligeris, A. Mitrokotsa, DDoS Attacks and Defense Mechanisms: Classification and State of the Art, Journal on Computer Networks, vol.
44 (5), pp. 643-666, 2004.
D. Moore, G. Voelker, S. Savage, Inferring Internet Denial of Service Activity, 10th USENIX Symposium on Security, pp. 20-25, 2001.
K. Park, H. Lee, On the effectiveness of router-based packet filtering for distributed DoS attack prevention in power-law Internets," ACM
SIGCOMM Conference, pp. 15-26, 2001.
S. Gibson, The Strange Tale of the Denial of Service Attacks against GRC.COM, 2007, [Online]. Available: http://grc.com/dos/grcdos.htm.
P. Ferguson, and D. Senie, Network ingress filtering: Defeating denial of ser-vice attacks which employ IP source address spoofing, RFC
2267, the Internet Engineering Task Force (IETF), 1998.
J. loannidis, S.M. Bellovin, Implementing Pushback: Router-Based Defense against DDoS Attacks, 2002, [Online]. Available:
https://
www.cs.columbia.edu /~smb / papers/ pushback-impl.pdf
Li. Zhang, J. Mirkovic, M. Wang, and P. Reither, Save: Source Address Validity Enforcement protocol," 21 st IEEE Annual Joint Conference of
IEEE Computer and Communications Societies, University of California, USA, vol. 3, pp. 1557-1566, 23-27, June, 2002.