Real-time protection against DDoS attacks using active gateways

This paper presents solutions for protecting servers against distributed denial-of-service (DDoS) attacks that inundate the system with file download and script execution requests. Our solution uses a dynamic packet filtering on dual-ported active NIC based gateways to drop attacking packets based on locally measured request rates and information from the server (such as server loading, number of incomplete connections). A variety of techniques for performing such packet filtering in real-time are discussed. A prototype implementation using a test bed of several clients, attacking machines and servers indicates that considerable improvements in the response times to legitimate requests and overall improvements in the performance of the servers are realized by the proposed scheme. As a sustained high-volume attack is started, the intelligent gateway is successful in detecting and filtering out apparently malicious traffic in only a few 10s of seconds.

[1]  Michael Weber,et al.  Protecting web servers from distributed denial of service attacks , 2001, WWW '01.

[2]  Gürhan Küçük,et al.  MaROS: A Framework for Application Development on Mobile Hosts , 1997, Euro-PDS.

[3]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[4]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[5]  Patrick Lincoln,et al.  TCP SYN Flooding Defense , 1999 .

[6]  Kanad Ghose,et al.  Maintaining useful server throughput under load attacks using active NIC portals , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[7]  K. Ghose,et al.  A time and space partitioned avionics real-time file system , 2005, 24th Digital Avionics Systems Conference.

[8]  Sebnem Baydere Relocatable Object Creation in a Mobile Computing Environmen , 1997, PDPTA.

[9]  A. L. Narasimha Reddy,et al.  Mitigating Denial of Service Attacks Using QoS Regulation , 2001 .

[10]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[11]  Donald R. Morrison,et al.  PATRICIA—Practical Algorithm To Retrieve Information Coded in Alphanumeric , 1968, J. ACM.

[12]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[13]  M. Williams,et al.  Ebay, amazon, buy. com hit by attacks , 2000 .

[14]  MirkovicJelena,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004 .

[15]  Steven McCanne,et al.  BPF+: exploiting global data-flow optimization in a generalized packet filter architecture , 1999, SIGCOMM '99.

[16]  Kanad Ghose,et al.  Protecting grid data transfer services with active network interfaces , 2005, GRID.

[17]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[18]  Kanad Ghose,et al.  Improving Transaction Server Performance under Heavy Loads with Differentiated Service and Active Network Interfaces , 2005, Fourth IEEE International Symposium on Network Computing and Applications.

[19]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[20]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).