Mitigating DDoS using Threshold-based Filtering in Collaboration with Capability Mechanisms

Capability based approaches have been a major area of work since long time. They are robust against address spoofing attacks. However, they are vulnerable to a new type of attack called Denial-of-Capability attack. Also, bandwidth flooding is another serious issue. This article proposed a novel approach for collaboration of capability with a filtering mechanism. Dynamic threshold for traffic monitoring, implemented over underlying basic capability approach is an effective attempt to mitigate these two major vulnerabilities. A detailed framework is discussed in this research work along with estimation of the expected latency. Essential algorithms are provided for implementation of the approach. The approach is an effective key to handle loopholes in capability techniques. Since, no standalone solution exists for DDoS mitigation; this work provides a collaborative defense, thereby, enhancing robustness against them.

[1]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[2]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[3]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[4]  Xiaowei Yang,et al.  TVA: A DoS-Limiting Network Architecture , 2008, IEEE/ACM Transactions on Networking.

[5]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[6]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[7]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[8]  Roch Guérin,et al.  Scalable QoS provision through buffer management , 1998, SIGCOMM '98.

[9]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[10]  Victor Firoiu,et al.  A study of active queue management for congestion control , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[11]  T Sivakumar,et al.  DDoS: Survey of Traceback Methods , 2009 .

[12]  Katerina J. Argyraki,et al.  Scalable network-layer defense against internet bandwidth-flooding attacks , 2003, TNET.

[13]  Konstantinos Psounis,et al.  CHOKe - a stateless active queue management scheme for approximating fair bandwidth allocation , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[14]  David Wetherall,et al.  TVA: a DoS-limiting network architecture , 2008, TNET.

[15]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.