Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks

Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic that is not under direct attack can suffer significant collateral damage if the traffic passes through links that are common to attack routes. This paper presents a proactive surge protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. The approach aims to minimize collateral damage by providing bandwidth isolation between traffic flows. The proposed solution is readily deployable using existing router mechanisms and does not rely on any unauthenticated packet header information. Our extensive evaluation across two large commercial backbone networks, using both distributed and targeted attacks, shows that up to 95.5% of the network could suffer collateral damage, but our solution was able to significantly reduce the amount of collateral damage by up to 97.58% in terms of the number of packets dropped and 90.36% in terms of the number of flows with packet loss. Further, we show that PSP can maintain low packet loss rates even when the intensity of attacks is increased significantly.

[1]  A. Snoeren,et al.  Secure and Policy-Compliant Source Routing , 2009, IEEE/ACM Transactions on Networking.

[2]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[3]  Jean-Yves Le Boudec,et al.  A Unified Framework for Max-Min and Min-Max Fairness With Applications , 2007, IEEE/ACM Transactions on Networking.

[4]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.

[5]  Alex C. Snoeren,et al.  PRIMED: community-of-interest-based DDoS mitigation , 2006, LSAD '06.

[6]  Wei Chen,et al.  Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[7]  Carsten Lund,et al.  Estimating flow distributions from sampled flow statistics , 2005, TNET.

[8]  Mark Handley,et al.  Using Routing and Tunneling to Combat DoS Attacks , 2005, SRUTI.

[9]  Roch Guérin,et al.  On the robustness of router-based denial-of-service (DoS) defense systems , 2005, CCRV.

[10]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[11]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[12]  K. Argyraki,et al.  Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks , 2003, USENIX Annual Technical Conference, General Track.

[13]  Carsten Lund,et al.  Estimating flow distributions from sampled flow statistics , 2003, SIGCOMM '03.

[14]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Ion Stoica,et al.  Taming IP packet flooding attacks , 2004, Comput. Commun. Rev..

[16]  A. Snoeren,et al.  A system for authenticated policy-compliant routing , 2004, SIGCOMM '04.

[17]  Kang G. Shin,et al.  Evolution of the Internet QoS and support for soft real-time applications , 2003, Proc. IEEE.

[18]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[19]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[20]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[21]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[22]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[23]  Wei Kang Tsai,et al.  A theory of convergence order of maxmin rate allocation and an optimal protocol , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[24]  Christian E. Hopps,et al.  Analysis of an Equal-Cost Multi-Path Algorithm , 2000, RFC.

[25]  Anja Feldmann,et al.  Deriving traffic demands for operational IP networks: methodology and experience , 2000, SIGCOMM.

[26]  Donald F. Towsley,et al.  The impact of multicast layering on network fairness , 1999, SIGCOMM '99.

[27]  David Tse,et al.  A framework for robust measurement-based admission control , 1999, TNET.

[28]  Ellen W. Zegura,et al.  Utility max-min: an application-oriented bandwidth allocation scheme , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[29]  David D. Clark,et al.  Explicit allocation of best-effort packet delivery service , 1998, TNET.

[30]  Yiwei Thomas Hou,et al.  A generalized max-min rate allocation policy and its distributed implementation using the ABR flow control mechanism , 1998, Proceedings. IEEE INFOCOM '98, the Conference on Computer Communications. Seventeenth Annual Joint Conference of the IEEE Computer and Communications Societies. Gateway to the 21st Century (Cat. No.98.

[31]  Kai-Yeung Siu,et al.  On Max-Min Fair Congestion Control for Multicast ABR Service in ATM , 1997, IEEE J. Sel. Areas Commun..

[32]  Peter B. Danzig,et al.  A measurement-based admission control algorithm for integrated service packet networks , 1997, TNET.

[33]  Peter B. Danzig,et al.  A measurement-based admission control algorithm for integrated services packet networks , 1995, SIGCOMM '95.

[34]  Dimitri P. Bertsekas,et al.  Data Networks , 1986 .