Impact of denial of service solutions on network quality of service

The Internet has become a universal communication network tool. It has evolved from a platform that supports best-effort traffic to one that now carries different traffic types including those involving continuous media with quality of service (QoS) requirements. As more services are delivered over the Internet, we face increasing risk to their availability given that malicious attacks on those Internet services continue to increase. Several networks have witnessed denial of service (DoS) and distributed denial of service (DDoS) attacks over the past few years which have disrupted QoS of network services, thereby violating the Service Level Agreement (SLA) between the client and the Internet Service Provider (ISP). Hence DoS or DDoS attacks are major threats to network QoS. In this paper we survey techniques and solutions that have been deployed to thwart DoS and DDoS attacks and we evaluate them in terms of their impact on network QoS for Internet services. We also present vulnerabilities that can be exploited for QoS protocols and also affect QoS if exploited. In addition, we also highlight challenges that still need to be addressed to achieve end-to-end QoS with recently proposed DoS/DDoS solutions. Copyright © 2010 John Wiley & Sons, Ltd.

[1]  Carsten Benecke,et al.  A parallel packet screen for high speed networks , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[2]  K. Salah,et al.  A probing technique for discovering last-matching rules of a network firewall , 2008, 2008 International Conference on Innovations in Information Technology.

[3]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[4]  Angelos D. Keromytis,et al.  Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols , 2001, Security Protocols Workshop.

[5]  George Varghese,et al.  Fast firewall implementations for software-based and hardware-based routers , 2001, SIGMETRICS '01.

[6]  Kang G. Shin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[7]  Hassan Aljifri,et al.  IP Traceback: A New Denial-of-Service Deterrent? , 2003, IEEE Secur. Priv..

[8]  Vinu V Das,et al.  Honeypot Scheme for Distributed Denial-of-Service Attack , 2009 .

[9]  Mei-Ling Shyu,et al.  Differentiated Service Protection of Multimedia Transmission via Detection of Traffic Anomalies , 2007, 2007 IEEE International Conference on Multimedia and Expo.

[10]  Sherali Zeadally,et al.  Defending against Distributed Denial of Service (DDoS) Attacks with Queue Traffic Differentiation over Micro-MPLS-based Wireless Networks , 2006, 2006 International Conference on Systems and Networks Communications (ICSNC'06).

[11]  Henning Schulzrinne,et al.  Overhead and performance study of the general internet signaling transport (GIST) protocol , 2009, TNET.

[12]  Yu Watanabe,et al.  ITU-T recommendations on peer-to-peer (P2P) network security , 2009, 2009 International Symposium on Autonomous Decentralized Systems.

[13]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[14]  George Varghese,et al.  Packet filtering in high speed networks , 1999, SODA '99.

[15]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[16]  Angelos D. Keromytis,et al.  Efficient, DoS-resistant, secure key exchange for internet protocols , 2001, CCS '02.

[17]  Kang G. Shin,et al.  Layer-4 service differentiation and resource isolation , 2002, Proceedings. Eighth IEEE Real-Time and Embedded Technology and Applications Symposium.

[18]  Kang G. Shin,et al.  Transport-Aware IP Routers: A Built-In Protection Mechanism to Counter DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[19]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[20]  Henning Schulzrinne,et al.  Analysis of denial-of-service attacks on denial-of-service defensive measures , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[21]  Johann van der Merwe,et al.  A survey on peer-to-peer key management for mobile ad hoc networks , 2007, CSUR.

[22]  Kai Hwang,et al.  Differential Packet Filtering Against DDoS Flood Attacks , 2003 .

[23]  Xin Peng,et al.  Multi-Tier Security Feature Modeling for Service-Oriented Application Integration , 2009, 2009 Eighth IEEE/ACIS International Conference on Computer and Information Science.

[24]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[25]  Lynn Andrea Stein,et al.  The world wide web security faq , 2002 .

[26]  Jan-Ming Ho,et al.  Bi-directional route optimization in mobile IP over wireless LAN , 2002, Proceedings IEEE 56th Vehicular Technology Conference.

[27]  Aad P. A. van Moorsel,et al.  Logging based IP Traceback in switched ethernets , 2008, EUROSEC '08.

[28]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[29]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[30]  Steven M. Bellovin,et al.  Security Mechanisms for the Internet , 2003, RFC.

[31]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[32]  Vijay Varadharajan,et al.  DoSTRACK: a system for defending against DoS attacks , 2009, SAC '09.

[33]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[34]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[35]  A. Baiocchi,et al.  Adaptive optimization of packet filtering devices performance ensuring a conflict-free network configuration , 2008, IEEE INFOCOM Workshops 2008.

[36]  Mun Choon Chan,et al.  On the effectiveness of DDoS attacks on statistical filtering , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[37]  Seonho Choi Denial-of-service resistant multicast authentication protocol with prediction hashing and one-way key chain , 2005, Seventh IEEE International Symposium on Multimedia (ISM'05).

[38]  Jun Xu,et al.  Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation , 2008, TNET.

[39]  Ion Bica,et al.  Design of Traceback Methods for Tracking DoS Attacks , 2009, 2009 International Association of Computer Science and Information Technology - Spring Conference.

[40]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[41]  Mooi Choo Chuah,et al.  Packetscore: statistics-based overload control against distributed denial-of-service attacks , 2004, IEEE INFOCOM 2004.

[42]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[43]  A. Tamilarasi,et al.  Filtering spoofed traffic at source end for defending against DoS / DDoS attacks , 2008, 2008 International Conference on Computing, Communication and Networking.

[44]  Lixia Zhang,et al.  Resource ReSerVation Protocol (RSVP) - Version 1 Functional Specification , 1997, RFC.

[45]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[46]  Ruby B. Lee,et al.  Remote Denial of Service Attacks and Countermeasures , 2001 .

[47]  Ben Soh,et al.  Distributed Denial of Service Attacks and Anonymous Group Authentication on the Internet , 2005, Third International Conference on Information Technology and Applications (ICITA'05).

[48]  Andrew B. Whinston,et al.  Defeating distributed denial of service attacks , 2000 .

[49]  Jun Li,et al.  On the state of IP spoofing defense , 2009, TOIT.

[50]  David Wetherall,et al.  TVA: a DoS-limiting network architecture , 2008, TNET.

[51]  David Zage,et al.  A framework for mitigating attacks against measurement-based adaptation mechanisms in unstructured multicast overlay networks , 2008, TNET.

[52]  Roberto Di Pietro,et al.  A reliable key authentication schema for secure multicast communications , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[53]  Joseph H. Hall Digital Toolbox: Perl: Internet Duct Tape , 1999, IEEE Internet Comput..

[54]  Angelos D. Keromytis,et al.  SOS: an architecture for mitigating DDoS attacks , 2004, IEEE Journal on Selected Areas in Communications.

[55]  Eric C. Rosen,et al.  Multiprotocol Label Switching Architecture , 2001, RFC.

[56]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[57]  Yongbin Zhang,et al.  An Enhanced IPSec Security Strategy , 2009, 2009 International Forum on Information Technology and Applications.

[58]  Rami G. Melhem,et al.  Roaming honeypots for mitigating service-level denial-of-service attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[59]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[60]  Vinu V. Das,et al.  Honeypot Scheme for Distributed Denial-of-Service , 2009, 2009 International Conference on Advanced Computer Control.

[61]  Moon-Chuen Lee,et al.  A denial-of-service resistant public-key authentication and key establishment protocol , 2002, Conference Proceedings of the IEEE International Performance, Computing, and Communications Conference (Cat. No.02CH37326).

[62]  Michael H. Behringer Analysis of the Security of BGP/MPLS IP Virtual Private Networks (VPNs) , 2006, RFC.

[63]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[64]  Gabriel Montenegro Reverse Tunneling for Mobile IP , 1998, RFC.

[65]  H. Achi,et al.  Network security approach for digital forensics analysis , 2008, 2008 International Conference on Computer Engineering & Systems.

[66]  Ion Stoica,et al.  Securing user-controlled routing infrastructures , 2008, TNET.

[67]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.

[68]  Ruby B. Lee,et al.  Scope of DDoS Countermeasures : Taxonomy of Proposed Solutions and Design Goals for Real-World Deployment , 2022 .

[69]  Kiyoung Kim,et al.  MF (minority first) scheme for defeating distributed denial of service attacks , 2003, Proceedings of the Eighth IEEE Symposium on Computers and Communications. ISCC 2003.

[70]  Nirwan Ansari,et al.  Tracing cyber attacks from the practical perspective , 2005, IEEE Communications Magazine.

[71]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[72]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[73]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[74]  Ehab Al-Shaer,et al.  Adaptive Early Packet Filtering for Defending Firewalls Against DoS Attacks , 2009, IEEE INFOCOM 2009.

[75]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[76]  Angelos D. Keromytis,et al.  Secure quality of service handling: SQoSH , 2000, IEEE Commun. Mag..

[77]  Rami G. Melhem,et al.  Design and analysis of a replicated elusive server scheme for mitigating denial of service attacks , 2004, J. Syst. Softw..

[78]  Sencun Zhu,et al.  Message Dropping Attacks in Overlay Networks: Attack Detection and Attacker Identification , 2006, SecureComm.

[79]  A. L. Narasimha Reddy,et al.  Statistical techniques for detecting traffic anomalies through packet header data , 2008, TNET.

[80]  Mei-Ling Shyu,et al.  The protection of QoS for multimedia transmission against denial of service attacks , 2005, Seventh IEEE International Symposium on Multimedia (ISM'05).

[81]  Douglas Stebila,et al.  Performance analysis of elliptic curve cryptography for SSL , 2002, WiSE '02.

[82]  M.T. Goodrich,et al.  Probabilistic Packet Marking for Large-Scale IP Traceback , 2008, IEEE/ACM Transactions on Networking.

[83]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.