2011 International Conference on Advanced Technologies for Communications (ATC 2011)

Distributed defense of Distributed DoS using
Pushback and Communicate mechanism
Nguyen Trung Hai

Doan Cao Thanh, Nguyen Van Quan, Nguyen Thi
Huyen Trang, Doan Minh Phuong

University of Engineering and Technology
Vietnam National University
Hanoi, Vietnam


University of Engineering and Technology
Vietnam National University
Hanoi, Vietnam
{s0420305, s0420333,
s0420407}@coltech.vnu.vn,
users’ requests by checking each packet is impractical.
Second, the overwhelming quantity of packets is contributed
by many agents taking part in DDoS attacks. Thus, agents
may not be not too powerful machines. Another result is the
traffic from each agent is too small to detect near the source.
Third, attackers are carefully hidden by using IP spoofing or
hiding mechanism (with some intermediate agents). By those
reasons, DDoS attacks are very difficult to detect. Even
when victim find the attackers, it will not prevent all of them
because of the large number of agent networks as well as its
large coverage. Also, since core routers just concern about
the destination address rather than the source one, then if

attacker spoof the IP address of agents, it is harder to figure
out the source of attack [6]. Moreover, in perspective of
packet’s content, each comes to victim is clearly legitimate,
just the massive of packets in short time has caused the
victim overloaded.
We can classify DDoS defense mechanism by time or
location. By time, there are two types: prevention (before
attack happens) and reaction (react to occurring attack).
Based on the location of defenses’ system, they can be
divided into 4 types: near the victim, near the attacker, in the
middle and the combination of all.

Abstract— DDoS is one of the most dangerous methods to
attack victim network because it uses a vast quantity of
distributed agents to make victim paralyze. This paper gives a
DDoS defense method which is based on “pushback and
communicate” idea (PaC method). When the gateway of victim
detects DDoS attack, it has to listen on interfaces to define the
neighbors from which DDoS packets come. Those neighbors
will receive DDoS information and do same things the victim’s
gateway does. By repeating that work, PaC can find the exact
way DDoS packets had passed through. All routers then
continue creating their own filters before sending DDoS
information to their next neighbors.
Keywords: Denial of Service (DoS), Distributed Denial of
Service (DDoS), distributed defense, push back, packet filtering,
traffic monitoring

I.


INTRODUCTION

Denial-of-service (DoS) may interrupt victims with
serving legitimate clients; prevent these clients to from
accessing legal services by sending a massive of packets
according some term to make victim server overload to
handle those kinds of packets. Distributed denial-of-service
(DDoS) attack is DoS attack from multiple sources of
attackers (those attackers may be located in wide area).
There are some key terms which need to understand clearly
such as victim, agent, handler, stepping stone and attacker.
Victim is the destination of DDoS packets which is expected
that will be interrupted or failed down. Agents are machines
which directly send attack requests to victims. Each DDoS
attack is the result of a vast number of agents. Agents receive
control command from machines called handlers which are
controlled by attacker. Attacker is the real instigator. In some
cases, attacker and handler communicate via stepping stone
to hide his real footprint. He often chooses the stepping stone
at the different country to reduce the risk, in technical
perspective, as well as in law perspective [1]. In fact,
stepping stone is a handler in higher level. When victim
traces back, it often find out the agents, but it’s very difficult
to know who real attacker is behind. Because of distributed
feature, DDoS attack becomes much more difficult to detect
and prevent. First, DDoS attacks use legitimate packets.
Therefore, distinguishing between DDoS requests and real

978-1-4577-1207-4/11/$26.00 ©2011 IEEE


A. Prevention and Reaction
Prevention makes it impossible to perform a DDoS attack
by preventing attackers from launching an attack (for
example, limit the number of packets from some sources or
run) or improving system power and processing threshold
such as system performance or bandwidth. But that way is
impractical because of distributed characteristic. For
example, if administrator doubles system performance, the
number of agents will be increased more than twice. The cost
of this method is also need to be considered. In fact,
administrators often choose reaction methods which solve
problems after DDoS attack happened. First, they try to find
out what agent is exactly joining the current attack. Then,
some forbidden policies will be applied to decrease or stop
traffics from those sources. Reaction method is positive, thus
the victim had to suffer serious damage before the attack was
blocked. However, it is generally used because it is more
practical than prevention mechanism.

178


control the traffic for the large networks, with additional
DDoS traffic controlling, using the push back mechanism
with 6 input parameters, although this mechanism is still
bulky and it doesn’t have mechanism to avoid exploiting
and cheating.

B. Location of defenses’ system
Putting the defenses’ system near the victim is very

simple as it is not affected by other objects. This method was
used to perform reaction after victim was attacked. It needs
high system performance because it operates while suffering
from attacking. Near the attacker’s defense system is a good
choice for DDoS defending. DDoS attack flow can be
detected as soon as it starts blowing. It also can detect the IP
spoofing if any. However, it requires a powerful system for
faster detection. There are so far three methods implemented
this approach [4]. D-WARD is the most significant method
follows this idea. It solves problem independently and takes
significant effects (preventing 70% TCP, ICMP attack and
supporting 7 UDP protocols in avoiding DDoS attack) [5].
DDoS defense center also is put in the middle. However, it is
not good choice because changing Internet’s core requires
much of cost and has to be agreed all over the world. For this
reason, it is theoretical and impractical. Finally, the best
choice is combination which means victims detect the attack
and try to find help from far nodes in Internet, in some cases
it is pushed to the location near the attacker. That way
decreases victim system’s duty, thus it is chosen by many
DDoS defense researchers.

III.

A. Key terms
+ Filter: Filter is a collection of rules which is installed
for each router (it may be different between other routers).
Those filters will determine whether a packet is transferred
or stopped [2]. In PaC, filters prevent DDoS packets which
have source’s IP address is like agent’s IP address and

destination’s IP address is victim’s IP address. Each filter
exists in constant and limited time. The final filter (the filter
which is located nearest the attacker) lives in a longer time
than other ones.
+ Router/Gateway: In this paper, “router” means a
machine or device which can route and execute PaC
protocol. “Gateway” is used in its pure meaning. In PaC
protocol, there are two types of gateway: victim’s gateway
and agent’s one. As network has NAT mechanism, it is hard
to trace directly to the computer inside the local network that
joins the DDoS attack. In term of that, we consider the
source which forwards the IP packets to perform attacking as
agent’s gateway. In normal case, this kind of gateway transit
packets between local network and the Internet using NAT
mechanism, but when one machine joins attacking DDoS,
this gateway will act as agent’s gateway. In special case, the
attacking machine has static IP or uses proxy server to
perform attacking. In that case, we call agent which has static
IP or the proxy server agent’s gateway. For Victim gateway,
the concept is the same, except for no proxy server for
Victim.
+ Poisoned neighbors: One router R has many neighbors.
Some of R’s neighbors, for example A and B, accept DDoS
packets go through them to R. R does not receive any DDoS
packets from others such as C and D. In this paper, we call
A and B poisoned neighbors.

C. Introduction to PaC mechanism
PaC is a new method to prevent DDoS attack which
belongs to combination method. It bases on 2 principles: Using filters in routers to stop DDoS packets. -Pushing back

and communicating to require the help from routers near the
attacker. Because using not only IP address but interface to
perform pushing back, PaC can prevent any IP spoofing
attacks. Moreover, supervisor and inspection mechanism
before filtering help PaC detect cheating and exploiting.
II.

PAC MECHANISM

RELATED WORKS

AITF - Active Internet Traffic Filter [3] is a mechanism
for blocking highly distributed denial-of-service attacks. In
order to prevent attacks, this method uses notion “Route
Record” that allows to write router’s IP address on each
packet it forwards. As a result, each packet carries identity of
a sub-list of the border routers that forwarded it. When
network administrator feels having DDOS attack, he send
immediately signal to router that nearest (V_GW) for
creating filter that blocks attacks. Then AITF protocol will
determine router that nearest attacker (A_GW) and connect
to it for stopping attacks. If A_GW cooperates then it will
block attacks. In contrast, this method will escalate. One of
most effective system to defend and react to DDoS attack is
D-WARD [5] as it can self-regulate with received packets. It
includes three components: observation, rate-limiting and
traffic- policing components and each component has private
functional. The traffic-policing component must be part of
source router while the observation and rate-limiting
components can be obtained traffic statistics by interacting

with source router and then installing rate-limit rules. In
term of general control the network traffic, Aggregate-Based
Congestion Control (ACC) and Pushback [7] is aimed to

B. PaC Mechanism
PaC stands for “pushback and communicate”, and is used
to call both method and protocol. PaC method can spread
filters through routers and push back to the source by
communicating. When an IP address is determined as
attacker’s source, victim’s gateway will activate its own
filter and listen to determine what interfaces DDoS packets
go from. Then, victim’s gateway sends requests through that
interface to require its poisoned neighbors create filters.
Those poisoned neighbors create filters, listen and
continuously send requests to their poisoned neighbors. This
recursive rule will be stop when we find the nearest router
from the agent. By this method, we can determine the root
cause router which broadcast DDoS packets, whether this
router is spoofed or not. PaC protocol applies rules and
messages for all routers on the network. Other routers which
don’t implement PaC protocol will be transparent. This
mechanism is implemented through six steps:

179


1) Step 1
Victim detects DDoS packet from an agent with IP
address a.b.c.d, send “start PaC protocol” request to its
gateway (V_GW) with parameters are its own IP address and

agent’s IP address. Victim and V_GW use an asynchronous
bi-directional authentication method to ensure that “start PaC
protocols” request is not faked. In case of Victim using static
IP, it will take a role of V_GW.
2) Step 2
V_GW creates a filter to prevent packets from a.b.c.d in
the time tstart.
3) Step 3
V_GW checks agent’s IP address to determine whether it
is faked or not by pinging to a.b.c.d.:
+ If there is no response, agent often fakes IP, go to step
6. The time for waiting response is called tno-response.
+ If there is any response in tresponse, V_GW determines
that is agent’s gateway (A_GW). V_GW will soon forward
the filter role to A_GW
4) Step 4
First, V_GW looks for two nearest routers from agent
which were installed PaC protocol. For example in Figure 1,
Router Y is the nearest router from agent, then Router X). In
best case, Router Y is agent’s gateway (A_GW). Router Y
must stop DDoS traffic, and router X supervises router Y.
V_GW send request to A_GW to ask if A_GW has installed
PaC protocol or not. If yes, we look for the preceding router
of A_GW to give it the role to supervise A_GW. Time for
looking those two routers is tsearch.
+ Searching approach is following: V_GW traces the
route to a.b.c.d by sending ICMP packets which have TTL
increasing from 0. Routers within the route to A_GW will
response sequentially ICMP time exceeded packet. V_GW
then establish reliable connection to each of those routers to

ask if it supports PaC protocol or not. Two earliest routers
response “Yes” will be RouterY and RouterX respectively. If
A_GW have already supported PaC then we need only one
more.
+ Next step, RouterX and RouterY perform reserve
checking whether V_GW is gateway of victim or not. If
victim has the same IP address with V_GW, we skip this
step. In other cases, RouterX and RouterY check if V_GW
proceeds of victim or not, by sending ping command with
TTL h+1 and h to V_GW and victim, respectively, in which
h is the hop number from V_GW to sending router. If router
doesn’t receive valid response, which is ICMP time
exceeded from victim and V_GW, it will deny and
disconnect V_GW. Otherwise, we jump to step 5. The total
time for authenticating each other is tauthen.
5) Step 5
+ V_GW requests RouterY setup FilterY in tY, and sends
DDoS traffic R1 from a.b.c.d it received.
+ V_GW establishes reliable connection to RouterX, and
then requests it to build ShadowX to inspect DDoS flow
from a.b.c.d in ∆t, and then terminate the connection.
+ RouterY, after setting up FilterY in tY, it performs two
actions: stop DDoS traffic forwarding to it, as well as count
this traffic as R2:

Figure 1: PaC model
- If R1 >> R2, agent has spoofed IP a.b.c.d,
RouterY eliminates FilterY, sends R2 to V_GW. V_GW
compares with R1, disconnects RouterY, and then performs
step 6.

- If R1≈ R2, agent is attacking, RouterY responses
back to V_GW, V_GW acknowledges then terminate
connection. RouterY now performs step 6 as role of V_GW
(called “relative pushing back”).
- Time for checking R1, R2 is called tcheck.
+ If RouterX monitors RouterY in time ∆t without
finding the significant decrement of DDoS traffic, that means
RouterY cannot stop the DDoS traffic. Thus, RouterX will
setup FilterFinal in time tlong. Process finishes
6) Step 6
V_GW executes “push back and communicate”: V_GW
turns on the filter in tstart, sends requests to neighbor routers.
Each neighbor will setup the same filter, recursively forward
the request to set up filter to their nearby neighbors. The time
to perform filtering in each router is ttmp, if one router
receives more than one request to setup the filter; it just
resets ttmp to zero.
+ In ttmp, if router still receives DDoS traffic sent through
its neighbor router, it should re-send the requests up to three
times. After that time without significant result in reducing
DDoS traffic, it is clearly that neighbor routers had failed to
finish the mission (they maybe didn’t installed PaC
protocol). In this case, original router will setup the filter by
itself in tlong. Process finishes.
+ Other routers wait for the time out of ttmp to stop
filtering, build the shadow file to perform supervising nearby
succeeding routers in tsupervise. In this time, if DDoS traffic
still is transferred, they turn on the filter in tlong. Process
finishes.
C. Avoid cheating

Attacker may take control of a router in the path where
PaC is executing, forbid to setup the filter as neighbor’s
router requests. Moreover, he may control A_GW, when
neighbor router requests, it pretends as already setup the
filter tlong, but just in tcheat << tlong, or suspend the attack,
then resume when the neighbor eliminate the filter. Or when
V_GW does handshaking with A_GW, A_GW pretends
already setup filer, waits for V_GW closing the connection
(or tstart elapsed) then resume the attack.
To prevent cheating, RouterX must become a shadow
router to inspect the PaC execution of RouterY by using a
shadow called ShadowX, as shown in Figure 2. When

180


V_GW does handshaking with A_GW, V_GW also does
handshaking with preceding router of A_GW (in this case
Router X); this router will take the role to monitor the
activity of A_GW. Shadow router performs monitoring by
sending request after three times (in step 5 and 6) will avoid
router in the middle and A_GW from cheating not setup
filter or temporarily setup in very short time.

1) If all routers have already setup PaC and attacking
from agent was not spoofed, victim and V_GW had the same
IP address
The total time is calculated as below:
+ One time to ping to a.b.c.d, for two connections
V_GW to A_GW and RouterX to setup filter and perform

supervision, the total time should be:
T1 = tresponse+ tsearch + tauthen
+ As searching method was based on trace route to
a.b.c.d, all routers supported PaC protocol, and it was
needed to search for one shadow router, then
tsearch = 2*(Ttb + 2*Ttb + 3*Ttb +…+ Rtb*Ttb) + 2* Rtb*Ttb.
+ The waiting time for response:
tresponse = 2*(Rtb-1)*Ttb
+ Victim and V_GW had the same IP address:
tauthen = 0
+ Total time should be:
T1 = tresponse+ tsearch+ tauthen = (Rtb2 + 3 Rtb – 1) * Ttb
2) If all routers have already setup PaC, attacking
traffic from agent A was spoofed, and V, V_GW had the
same IP address
T2 = tno-response + tY
+ The waiting time but no response:
tno-response >> 2* RtbTtb
This waiting time was often set to constant as threshold
in V_GW’s configuration.
+ Time to push back the request message in the whole
network
tY = Rtb*Wtb*Ttb
In which Wtb was average waiting time from router
received request to setup filter until receiving the DDoS
flow, then sending the request to its neighbor.
+ The total time should be
T2 = tno-response + Rtb*Wtb*Ttb
3) If all routers didn’t support PaC protocol, except for
V_GW, all agents were spoofed

V_GW checked for spoofing first, then sent request to
its neighbor, after 3 times failure, V_GW setup filter itself
in the time:
T3 = tno-response + 2*tstart
4) Review
DDoS boosts it performance by distributing the agent
further, it makes Gtb increase, and that means performance
index of PaC increases. This is one of advantages of PaC
mechanism for defending DDoS.

Figure 2: Use Shadow to avoid cheating

D. Avoid exploiting
One router G may pretend as victim of DDoS to stop the
access from network H to network K. G will broadcast that
H is attacker to K, then send requests to execute PaC to stop
all the traffics from H to K. There are two ways for G to do:
+ G acts of gateway of K (V_GW), connects to gateway
of H (acts as A_GW) to request setting up PaC filter to stop
traffic to K.
+ G acts of gateway in the middle between H and K,
running PaC protocol and requesting G’s neighbor to setup
filter to stop traffic from H to K.
To avoid this, in first case, when G connects to gateway
of H network, it must be reliable connection without faking
IP. After that, H’s gateway still checks if G stays in front of
H or not by double pinging. If no, H declines to setup filter.
In second one, it is nearly impossible to stop traffic from H
to K, by three reasons. First, routers in the core of Internet
were managed carefully by ISP, almost inaccessible.

Second, core routers are much simpler than machines, with
fewer applications to be exploited. Last, the Internet
architecture is packet switching, the route from H to K is not
static, but dynamic time by time. The cost to trace all the
routes from H to K will be much more than the final target.
IV.

ANALYSIS

A. Time and filtering effectiveness
Let suppose Rtb is the average number of routers that one
packet go through one host to another, Ttb is the average
number of routers that one packet go through one node to
another is Ttb. Rtb*Ttb may be considered as constant for each
host, called acceptable response time. Suppose Ftb is the
average number of filters setup in each interface of each
router (according to [3], Ftb has approximately value of
10.000), Gtb is the number of agents attacking is A and the
number of A_GW defending, in which the value of
Atb=A/Gtb is called the average number of agents which
A_GW must defend against. If Atb is equal or less than Ftb
then our defense system is effective. Therefore, we consider
1/Atb as performance index of PaC protocol. When this index
is getting bigger, PaC protocol works more effective.

B. Analysis of PaC mechanism
1) Advantages
+ PaC mechanism doesn’t consume Internet traffic too
much in comparison of AITF [3], it is activated only when
victim detects the attack. AITF always insert Route Record

to IP packet whether attack is happened or not, which makes
overhead of IP packet increases significantly.
+ V_GW tries to forward the role of filterer to router
near agent, soon stops the DDoS traffic early, reduce the
bottleneck for victim.

181


ACKNOWLEDGMENT
This work was supported by the Vietnam National
Foundation for Science and Technology Development
(NAFOSTED) for a Basic Research Project (No.
102.01.25.09).

+ PaC can prevent IP faking, cheating and exploiting.
+ It is effective to stop DDoS even there are many routes
from attacker to victim with dynamic routes updated
constantly.
+ PaC is implemented in network layer; it is transparent
for the routers in the middle which don’t have PaC installed.
+ PaC works outperformed even when attacking network
is highly distributed.
2) Disadvantages
+ It is better to request core routers to setup the filter, but
that may cause overhead in the whole network.
+ If attacker rotates faking IP, A_GW must setup many
filters for one IP respectively, which may make the
performance slower.
V.


REFERENCES
[1]

[2]

[3]

CONCLUSION

PaC is mechanism to prevent DDoS by setting up the “reaction” behavior, combine many kinds of location to perform
distributed defending.
However, it is just model need to be verified in reality. In
the next time, we want to implement this mechanism in
Cisco-based routers to evaluate the performance with the real
and public DDoS data provided by ISP.

[4]

[5]

[6]

182

Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher. Internet
Denial of Service: Attack and Defense Mechanisms. Prentice Hall
PTR. 2004.
Access list configuration in Cisco's Gigabit Ethernet Interface.
/>ion_guides_list.html.

Katerina Argyraki, David R. Cheriton. Active Internet Traffic
Filtering: Real-Time Response to Denial-of-Service Attacks.
Proceedings of the USENIX annual technical conference. 2005.
Vicky Laurens, Abdulmotaleb El Saddik, Pulak Dhar and Vineet
Srivastava. Detecting distributed denial of service attack traffic at the
Agent machines. IEEE CCECE. 2006.
J. Mirkovic. D-WARD: Source-End Defense Against Distributed
Denial-of-Service Attacks. Ph.D. dissertation, University of
California, Los Angeles. 2003.
J. Postel. RFC 791 - Internet Protocol.