Despite considerable attention from both the academic and commercial communities, denial-of-service (DoS) attacks represent a growing threat to network administrators and service providers. A large number of proposed DoS countermeasures attempt to detect an attack in-progress and filter out the DoS attack packets. These techniques often depend on the instantiation of sophisticated routing mechanisms and the ability to differentiate between normal and malicious messages. Unfortunately, neither of these prerequisites may be practical or possible. We propose and evaluate a defense against DoS attacks which we call selective bin verification. The technique shows promise against large DoS attacks, even when attack packets are able to permeate the network and reach the target of their attack. We explore the effectiveness of our technique by implementing an experimental testbed in which selective bin verification is successfully used to protect against DoS attacks. We formally describe the mathematical properties of our approach and delineate "tuning" parameters for defending against various attacks.
[1]
Jelena Mirkovic,et al.
Attacking DDoS at the source
,
2002,
10th IEEE International Conference on Network Protocols, 2002. Proceedings..
[2]
Steven M. Bellovin,et al.
Implementing Pushback: Router-Based Defense Against DDoS Attacks
,
2002,
NDSS.
[3]
Sanjeev Khanna,et al.
DoS Protection for Reliably Authenticated Broadcast
,
2004,
NDSS.
[4]
Stefan Savage,et al.
Inferring Internet denial-of-service activity
,
2001,
TOCS.
[5]
Vern Paxson,et al.
Bro: a system for detecting network intruders in real-time
,
1998,
Comput. Networks.