A composable approach to design of newer techniques for large-scale denial-of-service attack attribution

Since its early days, the Internet has witnessed not only a phenomenal growth, but also a large number of security attacks, and in recent years, denial-of-service (DoS) attacks have emerged as one of the top threats. The stateless and destination-oriented Internet routing combined with the ability to harness a large number of compromised machines and the relative ease and low costs of launching such attacks has made this a hard problem to address. Additionally, the myriad requirements of scalability, incremental deployment, adequate user privacy protections, and appropriate economic incentives has further complicated the design of DDoS defense mechanisms. While the many research proposals to date have focussed differently on prevention, mitigation, or traceback of DDoS attacks, the lack of a comprehensive approach satisfying the different design criteria for successful attack attribution is indeed disturbing. Our first contribution here has been the design of a composable data model that has helped us represent the various dimensions of the attack attribution problem, particularly the performance attributes of accuracy, effectiveness, speed and overhead, as orthogonal and mutually independent design considerations. We have then designed custom optimizations along each of these dimensions, and have further integrated them into a single composite model, to provide strong performance guarantees. Thus, the proposed model has given us a single framework that can not only address the individual shortcomings of the various known attack attribution techniques, but also provide a more wholesome counter-measure against DDoS attacks. Our second contribution here has been a concrete implementation based on the proposed composable data model, having adopted a graph-theoretic approach to identify and subse-

[1]  Youki Kadobayashi,et al.  Performance evaluation of inter-domain IP traceback , 2003, 10th International Conference on Telecommunications, 2003. ICT 2003..

[2]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[3]  G. Manimaran,et al.  Space-time encoding scheme for DDoS attack traceback , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[4]  G. Manimaran,et al.  Distributed Divide-and-Conquer Techniques for Effective DDoS Attack Defenses , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[5]  Dan S. Wallach,et al.  AP3: cooperative, decentralized anonymous communication , 2004, EW 11.

[6]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[7]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[8]  George Danezis,et al.  Towards an Information Theoretic Metric for Anonymity , 2002, Privacy Enhancing Technologies.

[9]  Jianping Yin,et al.  On the Placement of Active Monitor in IP Network , 2005, ICCNMC.

[10]  Vijay Arya,et al.  Encodings of Multicast Trees , 2005, NETWORKING.

[11]  Craig Partridge,et al.  Hardware support for a hash-based IP traceback , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[12]  Priya Mahadevan,et al.  The internet AS-level topology: three data sources and one definitive metric , 2005, Comput. Commun. Rev..

[13]  Zheng Wang,et al.  An Architecture for Differentiated Services , 1998, RFC.

[14]  Tzi-cker Chiueh,et al.  A path information caching and aggregation approach to traffic source identification , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[15]  C. L. Hamblin Translation to and from Polish Notation , 1962, Comput. J..

[16]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[17]  Gui Liang Feng,et al.  Algebraic geometric code based IP traceback , 2004, IEEE International Conference on Performance, Computing, and Communications, 2004.

[18]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[19]  Sajal K. Das,et al.  Star-coloring of graphs for conflict-free access to parallel memory systems , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[20]  G. Manimaran,et al.  Unified Defense Against DDoS Attacks , 2007, Networking.

[21]  Dawn Xiaodong Song,et al.  FIT: fast Internet traceback , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[22]  Steven Skiena,et al.  Filling a Penny Album , 2000 .

[23]  Ronaldo M. Salles,et al.  An AS-level overlay network for IP traceback , 2009, IEEE Network.

[24]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[25]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[26]  Vijay Kumar,et al.  Coloring the Internet: IP traceback , 2006, 12th International Conference on Parallel and Distributed Systems - (ICPADS'06).

[27]  S. Thomas McCormick,et al.  Optimal approximation of sparse hessians and its equivalence to a graph coloring problem , 1983, Math. Program..

[28]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[29]  H. V. Schelling Coupon Collecting for Unequal Probabilities , 1954 .

[30]  Nirwan Ansari,et al.  Accommodating fragmentation in deterministic packet marking for IP traceback , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[31]  Robert Tappan Morris,et al.  Tarzan: a peer-to-peer anonymizing network layer , 2002, CCS '02.

[32]  Mario Gerla,et al.  Defense against low-rate TCP-targeted denial-of-service attacks , 2004, Proceedings. ISCC 2004. Ninth International Symposium on Computers And Communications (IEEE Cat. No.04TH8769).

[33]  H. Jonathan Chao,et al.  Transient performance of PacketScore for blocking DDoS attacks , 2004, 2004 IEEE International Conference on Communications (IEEE Cat. No.04CH37577).

[34]  David A. Huffman,et al.  A method for the construction of minimum-redundancy codes , 1952, Proceedings of the IRE.

[35]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[36]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[37]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[38]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[39]  G. Manimaran,et al.  Internet infrastructure security: a taxonomy , 2002, IEEE Netw..

[40]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[41]  Anat Bremler-Barr,et al.  Spoofing prevention method , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[42]  Jonathan Cole Smith,et al.  A packet filter placement problem with application to defense against spoofed denial of service attacks , 2007, Eur. J. Oper. Res..

[43]  Angelos D. Keromytis,et al.  SOS: an architecture for mitigating DDoS attacks , 2004, IEEE Journal on Selected Areas in Communications.

[44]  Ratul Mahajan,et al.  Measuring ISP topologies with Rocketfuel , 2004, IEEE/ACM Transactions on Networking.

[45]  Manimaran Govindarasu,et al.  Optimizing the Update Packet Stream for Web Applications , 2010, BROADNETS 2010.

[46]  Jun Xu,et al.  IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[47]  Matei Ripeanu,et al.  Peer-to-peer architecture case study: Gnutella network , 2001, Proceedings First International Conference on Peer-to-Peer Computing.

[48]  Kang G. Shin,et al.  IP easy-pass: edge resource access control , 2004, IEEE INFOCOM 2004.

[49]  Micah Adler Tradeoffs in probabilistic packet marking for IP traceback , 2002, STOC '02.

[50]  Kotagiri Ramamohanarao,et al.  Detecting reflector attacks by sharing beliefs , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[51]  G. Manimaran,et al.  Optimizing the Update Packet Stream for Web Applications , 2010, BROADNETS.

[52]  G. Manimaran,et al.  Secure Routing Using Factual Correctness , 2006, Networking.

[53]  Suraj C. Kothari,et al.  Preventing SQL injection attacks in stored procedures , 2006, Australian Software Engineering Conference (ASWEC'06).

[54]  Vijay Kumar,et al.  High Speed Pattern Matching for Network IDS/IPS , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[55]  Michael T. Goodrich,et al.  Efficient packet marking for large-scale IP traceback , 2002, CCS '02.

[56]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[57]  Alex Pothen,et al.  Parallel Distance-k Coloring Algorithms for Numerical Optimization , 2002, Euro-Par.

[58]  Factual Correctness Guarantees to Secure Distance Vector Routing Protocols Table of Contents List of Figures , 2007 .

[59]  Basheer Al-Duwairi,et al.  Topology based packet marking , 2004, Proceedings. 13th International Conference on Computer Communications and Networks (IEEE Cat. No.04EX969).

[60]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[61]  G ShinKang,et al.  IP Easy-pass , 2005 .

[62]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[63]  Ümit V. Çatalyürek,et al.  A Parallel Distance-2 Graph Coloring Algorithm for Distributed Memory Computers , 2005, HPCC.

[64]  Xun Wang,et al.  Analyzing the secure overlay services architecture under intelligent DDoS attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[65]  G. Manimaran,et al.  Novel hybrid schemes employing packet marking and logging for IP traceback , 2006, IEEE Transactions on Parallel and Distributed Systems.

[66]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[67]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[68]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[69]  H. K. Dai,et al.  A marking scheme using Huffman codes for IP traceback , 2004, 7th International Symposium on Parallel Architectures, Algorithms and Networks, 2004. Proceedings..

[70]  Aart J. C. Bik,et al.  Pregel: a system for large-scale graph processing , 2010, SIGMOD Conference.

[71]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[72]  G. Manimaran,et al.  Secure DVR Protocol using Factual Correctness , 2006 .

[73]  G. Kesidis,et al.  Performance of IP address fragmentation strategies for DDoS traceback , 2003, Proceedings of the 3rd IEEE Workshop on IP Operations & Management (IPOM 2003) (IEEE Cat. No.03EX764).

[74]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[75]  David L. Black,et al.  An Architecture for Differentiated Service , 1998 .

[76]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[77]  Stephen F. Bush,et al.  Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics , 2005, Journal of Network and Systems Management.

[78]  Sally Floyd,et al.  Congestion Control Principles , 2000, RFC.

[79]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[80]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[81]  Subramanian Ramanathan,et al.  On the complexity of distance-2 coloring , 1992, Proceedings ICCI `92: Fourth International Conference on Computing and Information.

[82]  Suraj C. Kothari,et al.  Eliminating SQL Injection Attacks - A Transparent Defense Mechanism , 2006, 2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06).

[83]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[84]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[85]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[86]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[87]  Peter Sewell,et al.  Passive Attack Analysis for Connection-Based Anonymity Systems , 2003, ESORICS.

[88]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[89]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.