Shield: DoS filtering using traffic deflecting

Denial-of-service (DoS) attacks continue to be a major problem on the Internet. While many defense mechanisms have been created, they all have significant deployment issues. This paper introduces a novel method that overcomes these issues, allowing a small number of deployed DoS defenses to act as secure on-demand shields for any node on the Internet. The proposed method is based on rerouting any packet addressed to a protected autonomous system (AS) through an intermediate filtering node — a shield. In this way, all potentially harmful traffic could be discarded before reaching the destination. The mechanisms for packet rerouting use existing routing techniques and do not require any kind of modification to the deployed protocols or routers. To make the proposed system feasible, from both deployment and usage points of view, traffic rerouting and outsourced filtering could be provided as an insurance-style on-demand service.

[1]  Ramesh Govindan,et al.  Heuristics for Internet map discovery , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[2]  Jelena Mirkovic,et al.  Comparative Evaluation of Spoofing Defenses , 2011, IEEE Transactions on Dependable and Secure Computing.

[3]  It Informatics,et al.  Border Gateway Protocol , 2013 .

[4]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[5]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[6]  Carl A. Sunshine,et al.  The ARPA Internet Protocol , 1981, Comput. Networks.

[7]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[8]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[9]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[10]  Peter L. Reiher,et al.  Securing data through avoidance routing , 2009, NSPW '09.

[11]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[12]  Paul Francis,et al.  Towards a global IP anycast service , 2005, SIGCOMM '05.

[13]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[14]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[15]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[16]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[17]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[18]  Ramesh Govindan,et al.  BGP Route Flap Damping , 1998, RFC.

[19]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[20]  Jelena Mirkovic,et al.  Alliance formation for DDoS defense , 2003, NSPW '03.

[21]  Peter L. Reiher,et al.  RAD: Reflector Attack Defense Using Message Authentication Codes , 2009, 2009 Annual Computer Security Applications Conference.

[22]  Fernando Gont,et al.  Internet Engineering Task Force (ietf) Security Assessment of the Internet Protocol Version 4 , 2011 .

[23]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[24]  Craig Partridge,et al.  Host Anycasting Service , 1993, RFC.

[25]  X. Yuan,et al.  Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[26]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.