Preventing Distributed Denial-of-Service Flooding Attacks With Dynamic Path Identifiers

In recent years, there are increasing interests in using path identifiers (<inline-formula> <tex-math notation="LaTeX">$\it PIDs$ </tex-math></inline-formula>) as inter-domain routing objects. However, the <inline-formula> <tex-math notation="LaTeX">$\it PIDs$ </tex-math></inline-formula> used in existing approaches are static, which makes it easy for attackers to launch the distributed denial-of-service (DDoS) flooding attacks. To address this issue, in this paper, we present the design, implementation, and evaluation of dynamic PID (D-PID), a framework that uses <inline-formula> <tex-math notation="LaTeX">$\it PIDs$ </tex-math></inline-formula> negotiated between the neighboring domains as inter-domain routing objects. In D-PID, the <inline-formula> <tex-math notation="LaTeX">$\it PID$ </tex-math></inline-formula> of an inter-domain path connecting the two domains is kept secret and changes dynamically. We describe in detail how neighboring domains negotiate <inline-formula> <tex-math notation="LaTeX">$\it PIDs$ </tex-math></inline-formula> and how to maintain ongoing communications when <inline-formula> <tex-math notation="LaTeX">$\it PIDs$ </tex-math></inline-formula> change. We build a 42-node prototype comprised of six domains to verify D-PID’s feasibility and conduct extensive simulations to evaluate its effectiveness and cost. The results from both simulations and experiments show that D-PID can effectively prevent DDoS attacks.

[1]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[2]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[3]  David A. Maltz,et al.  Network traffic characteristics of data centers in the wild , 2010, IMC '10.

[4]  Jun Xu,et al.  IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[5]  Hongke Zhang,et al.  Efficient integration of software defined networking and information-centric networking with CoLoR , 2014, 2014 IEEE Global Communications Conference.

[6]  Meng Zhang,et al.  Improving Network Security by Dynamically Changing Path Identifiers in Future Internet , 2014, GLOBECOM 2014.

[7]  Argyraki,et al.  Network Capabilities : The Good , the Bad and the Ugly Katerina , 2022 .

[8]  AntikainenMarkku,et al.  Denial-of-service attacks in bloom-filter-based forwarding , 2014 .

[9]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[10]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[11]  Hao Jiang,et al.  Passive estimation of TCP round-trip times , 2002, CCRV.

[12]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[13]  Chunming Qiao,et al.  CoLoR: an information-centric internet architecture for innovations , 2014, IEEE Network.

[14]  Raouf Boutaba,et al.  FireCol: A Collaborative Protection Network for the Detection of Flooding DDoS Attacks , 2012, IEEE/ACM Transactions on Networking.

[15]  Vyas Sekar,et al.  Analyzing large DDoS attacks using multiple data sources , 2006, LSAD '06.

[16]  Zhe Chen,et al.  Security analysis of a future Internet architecture , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[17]  Lixia Zhang,et al.  Observing the evolution of internet as topology , 2007, SIGCOMM 2007.

[18]  Xin Yuan,et al.  Controlling IP Spoofing through Interdomain Packet Filters , 2008, IEEE Transactions on Dependable and Secure Computing.

[19]  Pekka Nikander,et al.  LIPSIN: line speed publish/subscribe inter-networking , 2009, SIGCOMM '09.

[20]  Gene Tsudik,et al.  DoS & DDoS in Named Data Networking , 2013 .

[21]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[22]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[23]  Tuomas Aura,et al.  Denial-of-Service Attacks in Bloom-Filter-Based Forwarding , 2014, IEEE/ACM Transactions on Networking.

[24]  Scott Shenker,et al.  Off by Default , 2016 .

[25]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM 2007.

[26]  Scott Shenker,et al.  A data-oriented (and beyond) network architecture , 2007, SIGCOMM 2007.

[27]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[28]  Brighten Godfrey,et al.  Pathlet routing , 2009, SIGCOMM '09.

[29]  Kang G. Shin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[30]  Patrick Crowley,et al.  Named data networking , 2014, CCRV.

[31]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[32]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[33]  Nick McKeown,et al.  Architecting for innovation , 2011, CCRV.

[34]  Hongke Zhang,et al.  An approach for efficient, accurate, and timely estimation of traffic matrices , 2014, 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[35]  Arun Venkataramani,et al.  MobilityFirst: a robust and trustworthy mobility-centric architecture for the future internet , 2012, MOCO.

[36]  Gene Tsudik,et al.  DoS and DDoS in Named Data Networking , 2012, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[37]  David Wetherall,et al.  TVA: a DoS-limiting network architecture , 2008, TNET.

[38]  Jun Xu,et al.  Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation , 2008, TNET.

[39]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.