Detecting Service Violations and DoS Attacks

Denial of Service (DoS) attack is a serious threat for the Internet. DoS attack can consume memory, CPU, and network resources and damage or shutdown the operation of the resource under attack (victim). A common DoS attack floods a network with bogus traffic so that legitimate users may not be able to communicate. There are several proposals to traceback the network attack path to identify the source that causes the DoS attack. This is an effective solution to trace the attacker but it is not preventive in nature. Ingress filtering and Route-based filtering are two proactive approaches to stop DoS attacks. These solutions check source addresses of incoming packets to ensure they are coming from legitimate sources or traversing through proper routes. We study several existing schemes that deal with DoS attacks. We describe several network monitoring approaches to detect service violations and DoS attacks. In addition, we propose a new distributed scheme to reduce monitoring overhead. Finally, a quantitative comparison among all schemes is conducted, in which, we highlight the merits of each scheme and estimate the overhead (both computation and communication) introduced by it. The comparison provides guidelines for selecting the appropriate scheme, or a combination of schemes, based on the requirements and how much overhead can be tolerated.

[1]  Rajeev Rastogi,et al.  Efficiently monitoring bandwidth and latency in IP networks , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[2]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[3]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[4]  Kihong Park,et al.  A PROACTIVE APPROACH TO DISTRIBUTED DoS ATTACK PREVENTION USING ROUTE- BASED PACKET FILTERING , 2000 .

[5]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[6]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[7]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[8]  Van Jacobson,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[9]  David L. Black,et al.  An Architecture for Differentiated Service , 1998 .

[10]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[11]  Donald F. Towsley,et al.  Multicast-based inference of network-internal loss characteristics , 1999, IEEE Trans. Inf. Theory.

[12]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[13]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[14]  Xin Wang,et al.  A scalable monitoring approach for service level agreements validation , 2000, Proceedings 2000 International Conference on Network Protocols.

[15]  Bharat K. Bhargava,et al.  Edge-to-edge measurement-based distributed network monitoring , 2004, Comput. Networks.

[16]  Stefan Savage,et al.  Sting: A TCP-based Network Measurement Tool , 1999, USENIX Symposium on Internet Technologies and Systems.

[17]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[18]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[19]  Vern Paxson,et al.  Measurements and analysis of end-to-end Internet dynamics , 1997 .

[20]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[21]  Donald F. Towsley,et al.  Inferring link loss using striped unicast probes , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[22]  DeanDrew,et al.  An algebraic approach to IP traceback , 2002 .

[23]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[24]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[25]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[26]  Vern Paxson,et al.  End-to-end Internet packet dynamics , 1997, SIGCOMM '97.

[27]  Bharat K. Bhargava,et al.  On detecting service violations and bandwidth theft in QoS network domains , 2003, Comput. Commun..

[28]  Heejo Lee,et al.  A Proactive Approach to Distributed DoS Prevention Using Route-Based Packet Filtering , 2000 .

[29]  Zheng Wang,et al.  An Architecture for Differentiated Services , 1998, RFC.

[30]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[31]  Vern Paxson,et al.  Framework for IP Performance Metrics , 1998, RFC.

[32]  Danny Raz,et al.  Efficient reactive monitoring , 2002, IEEE J. Sel. Areas Commun..