# Miyaji Laboratory

Denial of Service (DoS) attacks have become a serious menace In the Internet. DoS attack is the attack a malicious user sends a lot of packets to a specific server, and stops the function.And more recently, Distributed Denial of Service (DDoS) attacks caused by many compromised machines becomes a big problem. In order to launch a DoS attack, a malicious user usually forges a parameter (the number of the hops, an origin of IP address, TTL (Time To Live), and distance) in a packet to hide himself from detection. So it is necessary for DoS filtering scheme to prevent him from forge parameters to identify.

DoS Attack is classified by Intruction Prevention,Intruction Detection, Intruction Response, Intruction Tolerance and Mitigation with respect to activity. Intruction Prevention is to completely prevent attack. Intruction Detection is to detect DoS attacks by using database etc.Intruction Response is to identify the attack source. And Intruction Tolerance and Mitigation is to mitigation DoS attacks by using fault tolerance technology when DoS attack is occured.

One of the effective countermeasures against DDoS attacks is packet filtering using packet marking method, which marks routing information on each packet and drops attack packets based on the information.

We introduce Pi scheme using packet marking method by Yaar known as filtering technology. In this scheme,a router writes in information such as own IP addresses at identificaion field in IP header when a packet goes by path. so we can make a different course pattern of $2^{16}$(= 65536). This scheme has good performance compare with other filtering methods experimentally.

Unfortunately, Pi scheme schemes have a drawback such that they cannot efficiently deal with the attack packets forged by adversaries. In Pi scheme, a bit position to write depending on TTL when router mark. So it is difficult to use TTL for filtering so that malicious user can change a marking value by forging TTL. Furthermore, it is possible that marking value is not constant in the case $n$ is small or malicious user is close to victim because malicious user's marking still leave when victim receive packet. In other words, by Pi scheme, there is a problem that a marking value changes by packet forgery of malicious user greatly. In addition, when malicious user is located in the distance, wrapping of a bit position to mark happens, and information of a far-off router is overwritten. Although measures such as "TTL unwrapping" are examined, it is ad-hoc approach and not useful. In addition to such measures will force victim to a big burden.

Therefore in order to overcome such difficulties, we proposed simple and efficient packet filtering schemes. We show the proof of experimental evaluation and that our scheme 1, 1+2 is better than a Pi scheme by improving an experiment more.