An edge-to-edge filtering architecture against DoS

Defending against large, distributed Denial-of-Service attacks is challenging, with large changes to the network core or to end-hosts often suggested. To make matters worse, spoofing adds to the difficulty, since defenses must resist attempts to trigger filtering of other people's traffic. Further, any solution has to provide incentives for deployment, or it will never see the light of day. We present a simple and effective architectural defense against distributed DoS attacks that requires no changes to the end-hosts, minimal changes to the network core, is robust to spoofing, provides incentives for initial deployment, and can be built with off-the-shelf hardware

[1]  Jun Xu,et al.  Sustaining Availability of Web Services under Distributed Denial of Service Attacks , 2003, IEEE Trans. Computers.

[2]  Mischa Schwartz,et al.  ACM SIGCOMM computer communication review , 2001, CCRV.

[3]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[4]  Michael Walfish,et al.  DDoS defense by offense , 2006, TOCS.

[5]  Brian Kantor,et al.  Network news transfer protocol a proposed standard for the stream-based transmission of news , 1986 .

[6]  B. Cohen,et al.  Incentives Build Robustness in Bit-Torrent , 2003 .

[7]  Mark Handley,et al.  The Case for Pushing DNS , 2005 .

[8]  Mark Handley,et al.  Using Routing and Tunneling to Combat DoS Attacks , 2005, SRUTI.

[9]  S. Agarwal,et al.  DDoS Mitigation via Regional Cleaning Centers , 2003 .

[10]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[11]  J. Crowcroft,et al.  Using Packet Symmetry to Curtail Malicious Traffic , 2005 .

[12]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[13]  Ramesh Govindan,et al.  COSSACK: Coordinated Suppression of Simultaneous Attacks , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[14]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[15]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[16]  Stephen D. Crocker Protecting the Internet from distributed denial-of-service attacks: a proposal , 2004, Proceedings of the IEEE.

[17]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.

[18]  Paul Francis,et al.  Firebreak: An IP Perimeter Defense Architecture , 2006 .

[19]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[20]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[21]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[22]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[23]  Steven M. Bellovin,et al.  The Security Flag in the IPv4 Header , 2003, RFC.

[24]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[25]  Steve M. Bellovin,et al.  ICMP Traceback Message , 2003 .

[26]  Ion Stoica,et al.  Taming IP packet flooding attacks , 2004, Comput. Commun. Rev..