Adaptive distributed traffic control service for DDoS attack mitigation

Frequency and intensity of Internet attacks are rising with an alarming pace. Several technologies and concepts were proposed for fighting distributed denial of service (DDoS) attacks: traceback, pushback, i3, SOS and Mayday. This paper shows that in the case of DDoS reflector attacks they are either ineffective or even counterproductive. We then propose a novel concept and system that extends the control over network traffic by network users to the Internet using adaptive traffic processing devices. We safely delegate partial network management capabilities from network operators to network users. All network packets with a source or destination address owned by a network user can now also be controlled within the Internet instead of only at the network user's Internet uplink. By limiting the traffic control features and by restricting the realm of control to the "owner" of the traffic, we can rule out misuse of this system. Applications of our system are manifold: prevention of source address spoofing, DDoS attack mitigation, distributed firewall-like filtering, new ways of collecting traffic statistics, traceback, distributed network debugging, support for forensic analyses and many more.

[1]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[2]  Nir Kshetri,et al.  The simple economics of cybercrimes , 2006, IEEE Security & Privacy Magazine.

[3]  Bernhard Plattner,et al.  An economic damage model for large-scale Internet attacks , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[4]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[5]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[6]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[7]  Clay Shields,et al.  What do we mean by Network Denial of Service , 2002 .

[8]  Ion Stoica,et al.  Taming IP packet flooding attacks , 2004, Comput. Commun. Rev..

[9]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[10]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[11]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[12]  Jerome H. Saltzer,et al.  Active Networking and End-To-End Arguments* , 1998 .

[13]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[14]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[15]  ShenkerScott,et al.  Controlling high bandwidth aggregates in the network , 2002 .

[16]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[17]  Scott Shenker,et al.  Internet indirection infrastructure , 2004, IEEE/ACM Transactions on Networking.

[18]  Sally Floyd,et al.  Pushback Messages for Controlling Aggregates in the Network , 2001 .

[19]  Egil Juliussen,et al.  The Computer Industry Almanac , 1987 .

[20]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[21]  Bernhard Plattner,et al.  Chameleon: Realizing Automatic Service Composition for Extensible Active Routers , 2003, IWAN.

[22]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[23]  Alden W. Jackson,et al.  Commentaries on "Active networking and end-to-end arguments" , 1998, IEEE Netw..

[24]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[25]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[26]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.