NetBouncer: client-legitimacy-based high-performance DDoS filtering

We describe "NetBouncer", an approach and set of technologies for providing practical and high-performance defenses against distributed denial-of-service (DDoS) attacks. The central innovation in the NetBouncer approach to filtering and mitigating DDoS attacks is the ability to distinguish legitimate traffic from illegitimate ones so as to enable the discarding of only illegitimate traffic. In particular, this allows a NetBouncer-enabled network to distinguish DDoS congestion from flash crowd congestion situations. This provides a unique advantage over other DDoS mitigation techniques such as those based on filtering and congestion control where some loss of legitimate traffic is inevitable. The NetBouncer approach is characterized as an end-point-based solution to DDoS protection. It provides localized protection at potential choke points or bottlenecks that may exist in front of hosts and servers. NetBouncer attempts to block traffic as close to the victim as possible, while upstream of the nearest bottleneck. The immediate manifestation of NetBouncer technology is as a high-speed packet processing in-line appliance based on network processor technology. However, the long-term evolution, adoption and integration of NetBouncer technology may be in the back-plane/fast path of commercial high-speed routers.

[1]  Dan Schnackenberg,et al.  Infrastructure for intrusion detection and response , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[2]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[3]  Scott Shenker,et al.  Analysis and simulation of a fair queueing algorithm , 1989, SIGCOMM 1989.

[4]  Brian L. Mark,et al.  ARC-LITE: an integrated quality-of-service ATM/IP switching-routing engine , 1999, IEEE ATM Workshop '99 Proceedings (Cat. No. 99TH8462).

[5]  Gunnar Karlsson,et al.  Fast address look-up for internet routers , 1998, Broadband Communications.

[6]  Paul Francis,et al.  Fast routing table lookup using CAMs , 1993, IEEE INFOCOM '93 The Conference on Computer Communications, Proceedings.

[7]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[8]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[9]  Bernhard Plattner,et al.  Scalable high speed IP routing lookups , 1997, SIGCOMM '97.

[10]  Tommy Johnson,et al.  High-Speed Legitimacy-Based DDoS Packet Filtering with Network Processors , 2004 .

[11]  Sven Dietrich,et al.  Analyzing Distributed Denial of Service Tools: The Shaft Case , 2000, LISA.

[12]  Abhay Parekh,et al.  A generalized processor sharing approach to flow control in integrated services networks: the single-node case , 1993, TNET.

[13]  S. Jamaloddin Golestani,et al.  A self-clocked fair queueing scheme for broadband applications , 1994, Proceedings of INFOCOM '94 Conference on Computer Communications.