University of Minnesota
University Relations
myU OneStop

Go to unit's home.

Home | Seminars and Symposia | Past seminars/symposia: Friday, April 2, 2004

DTC Seminar Series

Defending against Large-scale Internet DDoS Atacks


Adrian Perrig
Electrical and Computer Engineering
Engineering and Public Policy
Computer Science
Carnegie Mellon University

Friday, April 2, 2004
10:00 am

101 Walter Library

Adrian Perrig

Download slides (pdf 478 KB) Today's Internet hosts are threatened by IP spoofing attacks and large scale Distributed Denial-of-Service (DDoS) attacks. We propose two new defense mechanisms, Pi and SIFF. Pi enables receivers to detect packets with a spoofed IP source address, and SIFF enables receivers to stop malicious flows in the Internet.

Adrian Perrig

In Pi, a packet is marked deterministically by routers along its path towards the destination. Packets traveling along the same path will have the same marking so that an attack victim need only identify the Pi marks of attack packets to filter out all further attack packets with the same marking. In addition, the victim can associate Pi marks with source IP addresses to detect source IP address spoofing by changes in the corresponding Pi mark. Our Stateless Internet Flow Filter (SIFF) enables an end-host to selectively stop individual flows before ever reaching its network, without requiring routers to keep per-flow state and without requiring ISP cooperation. We divide all network traffic into two classes, privileged (prioritized packets subject to recipient control) and unprivileged (legacy traffic). Privileged channels are established through a capability exchange handshake. Capabilities are dynamic and verified statelessly by the routers in the network, and can be revoked by quenching update messages to an offending host. SIFF is transparent to legacy clients and servers, but only updated hosts will enjoy its benefits.


Adrian Perrig is an Assistant Professor in Electrical and Computer Engineering, Engineering and Public Policy, and Computer Science at Carnegie Mellon University. He earned his Ph.D. in Computer Science from Carnegie Mellon University, and spent three years during his Ph.D. studies at University of California at Berkeley. He received his B.Sc. in Computer Engineering from the Swiss Federal Institute of Technology in Lausanne (EPFL). Perrig's research interests revolve around building secure systems and include Internet security, security for sensor networks and mobile applications. More information about his research is available at: