Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks

Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic that is not under direct attack can suffer significant collateral damage if the traffic passes through links that are common to attack routes. This paper presents a proactive surge protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. The approach aims to minimize collateral damage by providing bandwidth isolation between traffic flows. The proposed solution is readily deployable using existing router mechanisms and does not rely on any unauthenticated packet header information. Our extensive evaluation across two large commercial backbone networks, using both distributed and targeted attacks, shows that up to 95.5% of the network could suffer collateral damage, but our solution was able to significantly reduce the amount of collateral damage by up to 97.58% in terms of the number of packets dropped and 90.36% in terms of the number of flows with packet loss. Further, we show that PSP can maintain low packet loss rates even when the intensity of attacks is increased significantly.

[1]  Mark Handley,et al.  Using Routing and Tunneling to Combat DoS Attacks , 2005, SRUTI.

[2]  Ion Stoica,et al.  Taming IP packet flooding attacks , 2004, Comput. Commun. Rev..

[3]  David Tse,et al.  A framework for robust measurement-based admission control , 1999, TNET.

[4]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.

[5]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.

[6]  Carsten Lund,et al.  Estimating flow distributions from sampled flow statistics , 2005, TNET.

[7]  Christian E. Hopps,et al.  Analysis of an Equal-Cost Multi-Path Algorithm , 2000, RFC.

[8]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[9]  Donald F. Towsley,et al.  The impact of multicast layering on network fairness , 1999, SIGCOMM '99.

[10]  Roch Guérin,et al.  On the robustness of router-based denial-of-service (DoS) defense systems , 2005, CCRV.

[11]  Yiwei Thomas Hou,et al.  A generalized max-min rate allocation policy and its distributed implementation using the ABR flow control mechanism , 1998, Proceedings. IEEE INFOCOM '98, the Conference on Computer Communications. Seventeenth Annual Joint Conference of the IEEE Computer and Communications Societies. Gateway to the 21st Century (Cat. No.98.

[12]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[13]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[14]  David D. Clark,et al.  Explicit allocation of best-effort packet delivery service , 1998, TNET.

[15]  Wei Kang Tsai,et al.  A theory of convergence order of maxmin rate allocation and an optimal protocol , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[16]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[17]  Dimitri P. Bertsekas,et al.  Data Networks , 1986 .

[18]  Carsten Lund,et al.  Estimating flow distributions from sampled flow statistics , 2003, SIGCOMM '03.

[19]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[20]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[21]  ZhangLixia,et al.  A measurement-based admission control algorithm for integrated services packet networks , 1995 .

[22]  Alex C. Snoeren,et al.  PRIMED: community-of-interest-based DDoS mitigation , 2006, LSAD '06.

[23]  Anja Feldmann,et al.  Deriving traffic demands for operational IP networks: methodology and experience , 2000, SIGCOMM.

[24]  Alex C. Snoeren,et al.  Secure and policy-compliant source routing , 2009, TNET.

[25]  Kang G. Shin,et al.  Evolution of the Internet QoS and support for soft real-time applications , 2003, Proc. IEEE.

[26]  Ellen W. Zegura,et al.  Utility max-min: an application-oriented bandwidth allocation scheme , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[27]  Wei Chen,et al.  Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[28]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[29]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[30]  Bill Lin,et al.  Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks , 2008, IEEE/ACM Transactions on Networking.

[31]  Alex C. Snoeren,et al.  A system for authenticated policy-compliant routing , 2004, SIGCOMM '04.

[32]  Kai-Yeung Siu,et al.  On Max-Min Fair Congestion Control for Multicast ABR Service in ATM , 1997, IEEE J. Sel. Areas Commun..

[33]  Peter B. Danzig,et al.  A measurement-based admission control algorithm for integrated service packet networks , 1997, TNET.

[34]  Jean-Yves Le Boudec,et al.  A Unified Framework for Max-Min and Min-Max Fairness With Applications , 2007, IEEE/ACM Transactions on Networking.

[35]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.