论文信息 - A feedback control defense strategy for denial of service computer attacks

A feedback control defense strategy for denial of service computer attacks

Denial of service (DoS) attacks pose one of the most challenging security issues in computer networks. We propose a defense strategy against DoS attacks, which is based on a local detection component and a feedback control component. The former uses queue content information to detect potential attacks, and the latter controls the sending rate of upstream nodes. We include simulation results to illustrate the behavior of a network when using this strategy under both single-source and distributed DoS attacks, and to show its effectiveness in detecting "potential" attacks at an early stage, identifying attacking flows, and reducing the damage caused by such attacks. Finally, we identify performance metrics appropriate for optimizing the defense mechanism.

Xiaoyi Wu | C.G. Cassandras | C. Cassandras | Xiaoyi Wu

[1] S. Liu,et al. On the defense of the distributed denial of service attacks: an on-off feedback control approach , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[2] Ratul Mahajan,et al. Controlling high bandwidth aggregates in the network , 2002, CCRV.

[3] Rocky K. C. Chang,et al. Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[4] Bharat K. Bhargava,et al. Detecting Service Violations and DoS Attacks , 2003, NDSS.

[5] Steven M. Bellovin,et al. ICMP Traceback Messages , 2003 .

[6] Anna R. Karlin,et al. Network support for IP traceback , 2001, TNET.

[7] Mikkel Thorup,et al. Traffic engineering with traditional IP routing protocols , 2002, IEEE Commun. Mag..

[8] Heejo Lee,et al. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[9] Christos G. Cassandras,et al. Introduction to Discrete Event Systems , 1999, The Kluwer International Series on Discrete Event Dynamic Systems.

[10] Bill Cheswick,et al. Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[11] Richard Mortier. Multi-timescale Internet traffic engineering , 2002 .

[12] Symeon Papavassiliou,et al. Network intrusion and fault detection: a statistical anomaly approach , 2002, IEEE Commun. Mag..