DDoS Defense Deployment with Network Egress and Ingress Filtering

In this paper, we propose a DDoS defense architecture, named NEIF (Network Egress and Ingress Filtering), which is deployed at the Internet Service Provider's (ISP) edge routers to prohibit DDoS attacks into and from the ISPs' networks. The main challenge is how to implement NEIF with a small fixed amount of memory and low implementation complexity so that it may be acceptable by ISPs. We first design a bloom filter based data structure to identify and measure a few relatively large flows instead of all flows, where the amount of required memory is independent of link speeds and the number of flows. Then, the relatively large flows are rate-limited to their fair share based on the packet symmetry-the ratio of received and transmitted packets of a host. The dropping decisions of each flow are made on the observed counters directly that are with low implementation complexity. Finally, we implement NEIF with Click and perform experiments on PlanetLab. The experimental results validate our analysis and show that the Internet can benefit from NEIF even under partial deployment.

[1]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[2]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[3]  David Mosberger,et al.  httperf—a tool for measuring web server performance , 1998, PERV.

[4]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[5]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[6]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[7]  Akihiro Nakao,et al.  RouteLite: One-hop path splicing with path migration , 2009, 2009 First International Conference on Future Information Networks.

[8]  J. Crowcroft,et al.  Using Packet Symmetry to Curtail Malicious Traffic , 2005 .

[9]  EDDIE KOHLER,et al.  The click modular router , 2000, TOCS.

[10]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[11]  Shunji Abe,et al.  IP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks , 2008, IEICE Trans. Inf. Syst..

[12]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[13]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[14]  Akihiro Nakao,et al.  DDoS defense as a network service , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[15]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.