Intra-domain IP traceback using OSPF

Denial of service (DoS) attacks are a serious threat to the appropriate operation of services within network domains. In this paper, we propose a system that creates an overlay network to provide intra-domain IP traceback to deal with this threat. The Main contribution of our proposal with respect to previous work is its ability to provide partial and progressive deployment of the traceback system throughout a monitored network domain. We build the overlay network using the OSPF routing protocol through the creation of an IP Traceback Opaque LSA (Link State Advertisement). We also investigate and evaluate the performance of partial and progressive deployment of the proposed system, showing its suitability even for large network domains.

[1]  David D. Clark,et al.  Tussle in cyberspace: defining tomorrow's internet , 2005, TNET.

[2]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[3]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[4]  Ronaldo M. Salles,et al.  An AS-level overlay network for IP traceback , 2009, IEEE Network.

[5]  Dave Katz,et al.  Traffic Engineering (TE) Extensions to OSPF Version 2 , 2003, RFC.

[6]  Kamil Saraç,et al.  Single packet IP traceback in AS-level partial deployment scenario , 2007, Int. J. Secur. Networks.

[7]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[8]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[9]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[10]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[11]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[12]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[13]  Lou Berger,et al.  The OSPF Opaque LSA Option , 1998, RFC.

[14]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[15]  John Moy,et al.  Graceful OSPF Restart , 2003, RFC.

[16]  S. Sitharama Iyengar,et al.  Efficient And Secure Autonomous System Based Traceback , 2004, J. Interconnect. Networks.

[17]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[18]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[19]  Ibrahim Matta,et al.  On the origin of power laws in Internet topologies , 2000, CCRV.

[20]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.