Using Adaptive Bandwidth Allocation Approach to Defend DDoS Attacks

Denial of service attacks occur when the attacks are from a single host, whereas distributed denial of service attacks occur when multiple affected systems flood the bandwidth or resources of a targeted system. Although it is not possible to exempt entirely from denial of service or distributed denial of service attacks, we can limit the malicious user by controlling the traffic flow. In the paper, we propose to monitor the traffic pattern in order to alleviate distributed denial of service attacks. A bandwidth allocation policy will be adopted to assign normal users to a high priority queue and suspected attackers to a low priority queue. Simulations conducted in network simulator of our proposed priority queue-based scheme shows its effectiveness in blocking attack traffic while maintaining constant flows for legitimate traffic.

[1]  Jae-Kwang Lee,et al.  Novel Mechanism to Defend DDoS Attacks Caused by Spam , 2010, ArXiv.

[2]  Kai Hwang,et al.  MAFIC: adaptive packet dropping for cutting malicious flows to push back DDoS attacks , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[3]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[4]  Andrew B. Whinston,et al.  Defeating distributed denial of service attacks , 2000 .

[5]  Jae-Kwang Lee,et al.  Multi Layer Approach to Defend DDoS Attacks Caused by Spam , 2007, 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE'07).

[6]  A. Legout,et al.  Revisiting the fair queuing paradigm for end-to-end congestion control , 2002 .

[7]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[8]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[9]  Jun Xu,et al.  IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[10]  H. Schulzrinne,et al.  An IP traceback mechanism for reflective DoS attacks , 2004, Canadian Conference on Electrical and Computer Engineering 2004 (IEEE Cat. No.04CH37513).

[11]  Tu Xu,et al.  Detecting DDOS Attack Based on One-Way Connection Density , 2006, 2006 10th IEEE Singapore International Conference on Communication Systems.