On Filtering of DDoS Attacks Based on Source Address Prefixes

Distributed denial of service (DDoS) attacks are a grave threat to Internet services and even to the network itself. Widely distributed "zombie" computers subverted by malicious hackers are used to orchestrate massive attacks. Any defense against such flooding attacks must solve the hard problem of distinguishing the packets that are part of the attack from legitimate traffic, so that the attack can be filtered out without much collateral damage. We explore one technique that can be used as part of DDoS defenses: using ACL rules that distinguish the attack packets from the legitimate traffic based on source addresses in packets. One advantage of this technique is that the ACL rules can be deployed in routers deep inside the network where the attack isn't large enough to cause loss of legitimate traffic due to congestion. The most important disadvantage is that the ACL rules can also cause collateral damage by discarding some legitimate traffic. We use simulations to study this damage how it is influenced by various factors. Our technique is much better than uninformed dropping due to congestion, but it produces larger collateral damage than more processing-intensive approaches. For example it can reduce the attack size by a factor of 3 while also dropping between 2% and 10% of the legitimate traffic. We recommend the use of source address prefix based filtering in combination with other techniques, for example as a coarse pre-filter that ensures that devices performing the processing-intensive filtering are not overwhelmed

[1]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[2]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[3]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[4]  George Varghese,et al.  Automatically inferring patterns of resource consumption in network traffic , 2003, SIGCOMM '03.

[5]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[6]  Robert Beverly,et al.  The Spoofer Project: Inferring the Extent of Internet Source Address Filtering on the Internet , 2005, SRUTI.

[7]  Steven M. Bellovin,et al.  The Security Flag in the IPv4 Header , 2003, RFC.

[8]  S. Agarwal,et al.  DDoS Mitigation via Regional Cleaning Centers , 2003 .

[9]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[10]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[11]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[12]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.

[13]  Recommended Internet Service Provider Security Services and Procedures , 2000, RFC.

[14]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[15]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[16]  Eric R. Ziegel,et al.  The Elements of Statistical Learning , 2003, Technometrics.

[17]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[18]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[19]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[20]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[21]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[22]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.