Abstract
Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology.The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized---i.e., IP traceback---to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.
- 1 G.Banga,P.Druschel,and J.Mogul.Resource containers:A new facility for resource management in server systems.In Proc.of the third USENIX/ACM Symp.on Operating Systems Design and Implementation (OSDI '99),pages 45-58,Feb.1999. Google ScholarDigital Library
- 2 S.Bellovin.ICMPtraceback messages,Mar.2000. Internet Draft:draft-bellovin-itrace-00.txt (expires September 2000).Google Scholar
- 3 H.Burch and B.Cheswick.Tracing anonymous packets to their approximate source.In 14th Systems Administration Conference (LISA 2000),pages 319-327,2000. Google ScholarDigital Library
- 4 C.E.R.T.(CERT).CERT Advisory CA-2000-01 Denial-of-service developments,Jan.2000. http://www.cert.org/advisories/CA-2000-01.html.Google Scholar
- 5 CERT/CC,S.Institute,and CERIAS.Consensus roadmap for defeating distributed denial of service attacks,Feb.2000.A Project of the Partnership for Critical Infrastructure Security, http://www.sans.org/ddos roadmap.htm.Google Scholar
- 6 M.Faloutsos,P.Faloutsos,and C.Faloutsos.On power-law relationships of the Internet topology.In Proc.of ACM SIGCOMM ,pages 251-262,1999. Google ScholarDigital Library
- 7 P.Ferguson and D.Senie.Network ingress .ltering: Defeating denial of service attacks which employ IP source address spoo .ng,May 2000.RFC 2827. Google ScholarDigital Library
- 8 L.Garber.Denial-of-service attacks rip the Internet. Computer ,pages 12-17,Apr.2000. Google ScholarDigital Library
- 9 M.Garey and D.Johnson.Computers and Intractability:A Guide to the Theory of NP-Completeness .W.H.Freeman and Company, 1979. Google ScholarDigital Library
- 10 R.Govindan and A.Reddy.An analysis of Internet inter-domain topology and route stability.In Proc. IEEE INFOCOM '97 ,1997. Google ScholarDigital Library
- 11 J.Howard.An Analysis of Security Incidents on the Internet .PhD thesis,Carnegie Mellon Univerisity, Aug.1998. Google ScholarDigital Library
- 12 C.Jin,Q.Chen,and S.Jamin.Inet:Internet Topology Generator.Technical Report CSE-TR-443-00,Department of EECS,University of Michigan,2000.Google Scholar
- 13 C.Meadows.A formal framework and evaluation method for network denial of service.In Proc.ofthe 1999 IEEE Computer Security Foundations Workshop , June 1999. Google ScholarDigital Library
- 14 A.Medina and I.Matta.Brite:A .exible generator of Internet topologies.Technical Report BU-CS-TR-2000-005,Boston University,Jan.2000. Google ScholarDigital Library
- 15 R.Morris.A weakness in the 4.2BSD Unix TCP/IP software.Technical Report Computer Science #117, AT&T Bell Labs,Feb.1985.Google Scholar
- 16 National Laboratory for Applied Network Research. Routing data,2000.Supported by NFS, http://moat.nlanr.net/Routing/rawdata/.Google Scholar
- 17 NightAxis and R.F.Puppy.Purgatory 101:Learning to cope with the SYNs of the Internet,2000.Some practical approaches to introducing accountability and responsibility on the public internet, http://packetstorm.securify.com/papers/contest/RFP.doc.Google Scholar
- 18 J.Pansiot and D.Grad.On routes and multicast trees in the Internet.Computer Communication Review , 28(1):41 -50,1995. Google ScholarDigital Library
- 19 C.Papadimitriou and K.Steiglitz.Combinatorial Optimization:Algorithms and Complexity .Prentice Hall,Inc.,1982. Google ScholarDigital Library
- 20 K.Park and H.Lee.On the e .ectiveness of probabilistic packet marking for IPtraceback under denial of service attack.In Proc.IEEE INFOCOM '01 ,pages 338-347,2001.Google Scholar
- 21 J.Postel.Internet protocol,Sept.1981.RFC 791.Google Scholar
- 22 G.Sager.Security fun with OCxmon and c .owd,Nov. 1998.Presentation at the Internet 2 Working Group.Google Scholar
- 23 S.Savage,D.Wetherall,A.Karlin,and T.Anderson. Practical network support for IP traceback.In Proc. of ACM SIGCOMM ,pages 295-306,Aug.2000. Google ScholarDigital Library
- 24 C.Schuba,I.Krsul,M.Kuhn,E.Spa .ord, A.Sundaram,and D.Zamboni.Analysis of a denial of service attack on TCP.In Proc.of the 1997 IEEE Symp.on Security and Privacy ,pages 208-223,May 1997. Google ScholarDigital Library
- 25 D.Song and A.Perrig.Advanced and authenticated marking schemes for IPtraceback.Technical Report UCB/CSD-00-1107,Computer Science Department, University of California,Berkeley,2000.To appear in IEEE INFOCOM 2001.Google Scholar
- 26 O.Spatscheck and L.Peterson.Defending against denial of service attacks in Scout.In Proc.ofthethird USENIX/ACM Symp.on Operating Systems Design and Implementation (OSDI '99),pages 59-72,Feb. 1999. Google ScholarDigital Library
- 27 C.Systems.Characterizing and tracing packet .oods using Cisco routers,Aug 1999. http://www.cisco.com/warp/public/707/22.html.Google Scholar
- 28 C.E.R.Team.Denial of service,Feb.1999.Tech Tips, http://www.cert.org/tech tips/denial of service.html, 2nd revision.Google Scholar
- 29 C.E.R.Team.Results of the distributed-systems intruder tools workshop,Nov.1999. http://www.cert.org/reports/dsit workshop.pdf.Google Scholar
- 30 B.Waxman.Routing of m ltipoint connections.IEEE Jo rnal of Selected Areas in Comm nications ,pages 6(9):1617-1622,Dec.1988.Google Scholar
- 31 E.Zwicky,S.Cooper,D.Chapman,and D.Ru. Building Internet Firewalls .O 'Reilly &Associates, Inc.,2nd edition,2000. Google ScholarDigital Library
Index Terms
- On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets
Recommendations
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets
SIGCOMM '01: Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communicationsDenial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves ...
Provider-based deterministic packet marking against distributed DoS attacks
One of the most serious security threats on the Internet are Distributed Denial of Service (DDoS) attacks, due to the significant service disruption they can create and the difficulty in preventing them. In this paper, we propose new deterministic ...
Characterization, Detection and Mitigation of Low-Rate DoS attack
ICTCS '14: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive StrategiesNow a day's web services become key aspect of life. Unfortunately there are several threats to these services. These threats are phishing, e-mail borne viruses, Trojan horse programs, Denial of Service etc. Among of them Distributed Denial of Service ...
Comments