Characterization of defense mechanisms against distributed denial of service attacks

We propose a characterization of distributed denial of service (DDOS) defenses where reaction points are network-based and attack responses are active. The purpose is to provide a framework for comparing the performance and deployment of DDOS defenses. We identify the characteristics in attack detection algorithms and attack responses by reviewing defenses that have appeared in the literature. We expect that this characterization will provide practitioners and academia insights into deploying DDOS defense as network services.

[1]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[2]  Anja Feldmann,et al.  Tradeoffs for packet classification , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[3]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[4]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[5]  Dan Schnackenberg,et al.  Infrastructure for intrusion detection and response , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[6]  Elizabeth D. Zwicky,et al.  Building Internet firewalls (2nd ed.) , 2000 .

[7]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[8]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[9]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[10]  ShenkerScott,et al.  Controlling high bandwidth aggregates in the network , 2002 .

[11]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[12]  H. Lipson Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues , 2002 .

[13]  Jun Xu Sustaining Availability of Web Services under Severe Denial of Service Attacks , 2001 .

[14]  V. Paxson End-to-end routing behavior in the internet , 2006, CCRV.

[15]  Ikuo Horiguchi,et al.  At the University of California, Davis , 1981 .

[16]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[17]  Jun Xu,et al.  IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[18]  Fouad A. Tobagi,et al.  Packet-level traffic measurements from a tier-1 ip backbone , 2001 .

[19]  J. Peterson,et al.  Attack detection in large networks , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[20]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[21]  J. M. Pullen,et al.  Countering denial-of-service attacks using congestion triggered packet sampling and filtering , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[22]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[23]  S. Liu,et al.  On the defense of the distributed denial of service attacks: an on-off feedback control approach , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[24]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[25]  S. Bellovin ICMP Traceback Message , 2003 .

[26]  kc claffy,et al.  The nature of the beast: Recent traffic measurements from an Internet backbone , 1998 .

[27]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[28]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[29]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[30]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[31]  Nick McKeown,et al.  Monitoring very high speed links , 2001, IMW '01.

[32]  Jun Xu,et al.  Sustaining Availability of Web Services under Distributed Denial of Service Attacks , 2003, IEEE Trans. Computers.

[33]  MirkovicJelena,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004 .

[34]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[35]  Kihong Park,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[36]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[37]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[38]  S. Kent IP Authentication Header , 2002 .

[39]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[40]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[41]  Ross J. Anderson,et al.  The XenoService { A Distributed Defeat for Distributed Denial of Service , 2000 .

[42]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[43]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[44]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[45]  Priya Narasimhan,et al.  Active network based DDoS defense , 2002, Proceedings DARPA Active Networks Conference and Exposition.

[46]  Elizabeth D. Zwicky,et al.  Building internet firewalls , 1995 .

[47]  Brett Wilson,et al.  Autonomic Response to Distributed Denial of Service Attacks , 2001, Recent Advances in Intrusion Detection.

[48]  Christine E. Jones,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.