Defending Against Distributed Denial-of-Service Attacks With Weight-Fair Router Throttling

A high profile internet server is always a target of denial-of-service attacks. In this paper, we propose a novel technique for protecting an internet server from distributed denial-of-service attacks. The defense mechanism is based on a distributed algorithm that performs weight-fair throttling at the upstream routers. The throttling is weight-fair because the traffics destined for the server are controlled increased or decreased ) by the leaky-buckets at the routers based on the number of users connected, directly or through other routers, to each router. To the best of our knowledge, this is the first weight-fair technique for saving an internet server from denial-of-service attacks. The system is guaranteed to work even if some of the routers are compromised. Furthermore, in the beginning of the algorithm, the server’s capacity is underestimated by the routers so as to protect the server from any sudden initial attack. Type of Report: Other Department of Computer Science & Engineering Washington University in St. Louis Campus Box 1045 St. Louis, MO 63130 ph: (314) 935-6160 Defending Against Distributed Denial-of-Service Attacks With Weight-Fair Router Throttling Abusayeed M Saifullah Computer Science and Engineering Washington University in St. Louis St. Louis, MO 63130 USA Email: saifullaha@cse.wustl.edu ABSTRACT A high profile internet server is always a target of denial-of-service attacks. In this paper, we propose a novel technique for protecting an internet server from distributed denial-of-service attacks. The defense mechanism is based on a distributed algorithm that performs weight-fair throttling at the upstream routers. The throttling is weight-fair because the traffics destined for the server are controlled (increased or decreased ) by the leaky-buckets at the routers based on the number of users connected, directly or through other routers, to each router. To the best of our knowledge, this is the first weight-fair technique for saving an internet server from denial-of-service attacks. The system is guaranteed to work even if some of the routers are compromised. Furthermore, in the beginning of the algorithm, the server’s capacity is underestimated by the routers so as to protect the server from any sudden initial attack.A high profile internet server is always a target of denial-of-service attacks. In this paper, we propose a novel technique for protecting an internet server from distributed denial-of-service attacks. The defense mechanism is based on a distributed algorithm that performs weight-fair throttling at the upstream routers. The throttling is weight-fair because the traffics destined for the server are controlled (increased or decreased ) by the leaky-buckets at the routers based on the number of users connected, directly or through other routers, to each router. To the best of our knowledge, this is the first weight-fair technique for saving an internet server from denial-of-service attacks. The system is guaranteed to work even if some of the routers are compromised. Furthermore, in the beginning of the algorithm, the server’s capacity is underestimated by the routers so as to protect the server from any sudden initial attack.

[1]  Shigang Chen,et al.  Perimeter-based defense against high bandwidth DDoS attacks , 2005, IEEE Transactions on Parallel and Distributed Systems.

[2]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[3]  Shigang Chen,et al.  A new perspective in defending against DDoS , 2004, Proceedings. 10th IEEE International Workshop on Future Trends of Distributed Computing Systems, 2004. FTDCS 2004..

[4]  Alexander G. Tartakovsky,et al.  A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods , 2001 .

[5]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[6]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[7]  Jelena Mirkovic,et al.  Alliance formation for DDoS defense , 2003, NSPW '03.

[8]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[9]  Kai Hwang,et al.  Distributed Change-Point Detection of DDoS Attacks: Experimental Results on DETER Testbed , 2007, DETER.

[10]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[11]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[12]  Dimitris Gavrilis,et al.  Real-time detection of distributed denial-of-service attacks using RBF networks and statistical features , 2005, Comput. Networks.

[13]  Yong Tang,et al.  Stateful DDoS attacks and targeted filtering , 2007, J. Netw. Comput. Appl..

[14]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[15]  Jun Xu,et al.  IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[16]  Shing-Tsaan Huang,et al.  A Self-Stabilizing Algorithm for Constructing Breadth-First Trees , 1992, Inf. Process. Lett..

[17]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[18]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[19]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[20]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[21]  Robert G. Gallager,et al.  A new distributed algorithm to find breadth first search trees , 1987, IEEE Trans. Inf. Theory.

[22]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).