Off the Wall: Lightweight Distributed Filtering to Mitigate Distributed Denial of Service Attacks

Distributed Denial of Service (DDoS) attacks are hard to deal with, due to the fact that it is difficult to distinguish legitimate traffic from malicious traffic, especially since the latter is from distributed sources. To accurately filter malicious traffic one needs (strong but costly) packet authentication primitives which increase the design complexity and typically affect throughput. It is a challenge to keep a balance between throughput and security/protection of the network core and end resources. In this paper, we propose SIEVE, a lightweight distributed filtering protocol/method. Depending on the attacker's ability, SIEVE can provide a standalone filter for moderate adversary models and a complementary filter which can enhance the performance of strong and more complex methods for stronger adversary models.

[1]  Angelos D. Keromytis,et al.  Countering DoS attacks with stateless multipath overlays , 2005, CCS '05.

[2]  Thomas E. Anderson,et al.  Phalanx: Withstanding Multimillion-Node Botnets , 2008, NSDI.

[3]  Idit Keidar,et al.  Keeping Denial-of-Service Attackers in the Dark , 2007, IEEE Transactions on Dependable and Secure Computing.

[4]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[5]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[6]  Marina Papatriantafilou,et al.  Mitigating Distributed Denial of Service Attacks in Multiparty Applications in the Presence of Clock Drifts , 2012, IEEE Trans. Dependable Secur. Comput..

[7]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[8]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[9]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[10]  Angelos D. Keromytis,et al.  MOVE: An End-to-End Solution to Network Denial of Service , 2005, NDSS.

[11]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[12]  David Wetherall,et al.  TVA: a DoS-limiting network architecture , 2008, TNET.

[13]  Elaine Shi,et al.  OverDoSe: A Generic DDoS Protection Service Using an Overlay Network , 2006 .

[14]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[15]  Jean-Yves Le Boudec,et al.  Rate adaptation, Congestion Control and Fairness: A Tutorial , 2000 .

[16]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[17]  Arun Venkataramani,et al.  iPlane: an information plane for distributed services , 2006, OSDI '06.

[18]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[19]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.