On the effectiveness of DDoS attacks on statistical filtering

Distributed denial of service (DDoS) attacks pose a serious threat to service availability of the victim network by severely degrading its performance. Recently, there has been significant interest in the use of statistical-based filtering to defend against and mitigate the effect of DDoS attacks. Under this approach, packet statistics are monitored to classify normal and abnormal behaviour. Under attack, packets that are classified as abnormal are dropped by the filter that guards the victim network. We study the effectiveness of DDoS attacks on such statistical-based filtering in a general context where the attackers are "smart". We first give an optimal policy for the filter when the statistical behaviours of both the attackers and the filter are static. We next consider cases where both the attacker and the filter can dynamically change their behaviour, possibly depending on the perceived behaviour of the other party. We observe that while an adaptive filter can effectively defend against a static attacker, the filter can perform much worse if the attacker is more dynamic than perceived.

[1]  Ratul Mahajan,et al.  Aggregate congestion control , 2002, CCRV.

[2]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[3]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[4]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[5]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[6]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[7]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[8]  Ratul Mahajan,et al.  Aggregate-Based Congestion Control , 2002 .

[9]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[10]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[11]  Kang G. Shin,et al.  Hop-Count Filtering : An Effective Defense Against Spoofed Traffic , 2003 .

[12]  Mooi Choo Chuah,et al.  Packetscore: statistics-based overload control against distributed denial-of-service attacks , 2004, IEEE INFOCOM 2004.

[13]  Los Angeles,et al.  D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks , 2003 .

[14]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.