Trawling Traffic under Attack, Overcoming DDoS Attacks by Target-Controlled Traffic Filtering

As more and more services are provided by servers via the Internet, Denial-of-Service (DoS) attacks pose an increasing threat to the Internet community. A DoS attack overloads the target server with a large volume of adverse requests, thereby rendering the server unavailable to “ well-behaved” users. Recently, the novel paradigm of traffic ownership that enables the clients of Internet service providers (ISP) to configure their own traffic processing policies has gained popularity. In this paper, we propose two algorithms belonging to this paradigm that allow attack targets to dynamically filter their incoming traffic based on a distributed policy. The proposed algorithms defend the target against DoS and distributed DoS (DDoS) attacks and simultaneously ensure that it continues to receive valuable users’ traffic. In a nutshell, a target can define a filtering policy which consists of a set of traffic classification rules and the corresponding amounts of traffic, measured in bandwidth units, which match each rule. The filtering algorithm is enforced by the ISP’s or the Network Service Provider’s (NSP) routers when a target is being overloaded with traffic. The goal is to maximize the amount of filtered traffic forwarded to the target, according to the filtering policy, from the ISP’s or the NSP’s network. The first algorithm we propose relies on complete collaboration among the ISP/NSP routers. It computes the filtering policy in polynomial time and delivers the best possible traffic mix to the target. The second algorithm is a distributed algorithm which assumes no collaboration among the ISP/NSP routers, each router only uses local information about its incoming traffic. We show the intuition behind the proof of lower bound on the second algorithm’s worst-case performance.

[1]  Oliver W. W. Yang,et al.  LGRR: A new packet scheduling algorithm for differentiated services packet-switched networks , 2009, Comput. Commun..

[2]  Andrew B. Whinston,et al.  Defeating DDoS attacks by fixing the incentive chain , 2007, TOIT.

[3]  Youxian Sun,et al.  Enhanced WFQ Algorithm with (m, k)-Firm Guarantee , 2004, ICESS.

[4]  Haining Wang,et al.  Profit-aware Admission Control for Overload Protection in E-commerce Web Sites , 2007, 2007 Fifteenth IEEE International Workshop on Quality of Service.

[5]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[6]  Abhay Parekh,et al.  A generalized processor sharing approach to flow control in integrated services networks: the single-node case , 1993, TNET.

[7]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[8]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[9]  A.L. Narasimha Reddy,et al.  Mitigation of DoS attacks through QoS regulation , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[10]  Bernhard Plattner,et al.  Enhanced Internet security by a distributed traffic control service based on traffic ownership , 2007, J. Netw. Comput. Appl..

[11]  T. Adomkus,et al.  A New Adaptive Fair Queueing (AFQ) Scheduler for Support SLA , 2007, 2007 29th International Conference on Information Technology Interfaces.

[12]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[13]  Jordi Torres,et al.  Web Customer Modeling for Automated Session Prioritization on High Traffic Sites , 2007, User Modeling.

[14]  Bernhard Plattner,et al.  Adaptive distributed traffic control service for DDoS attack mitigation , 2005, 19th IEEE International Parallel and Distributed Processing Symposium.

[15]  Richard M. Karp,et al.  Theoretical Improvements in Algorithmic Efficiency for Network Flow Problems , 1972, Combinatorial Optimization.

[16]  Hui Zhang,et al.  WF/sup 2/Q: worst-case fair weighted fair queueing , 1996, Proceedings of IEEE INFOCOM '96. Conference on Computer Communications.