论文信息 - Packet filtering to defend flooding-based DDoS attacks [Internet denial-of-service attacks]

Packet filtering to defend flooding-based DDoS attacks [Internet denial-of-service attacks]

Our proposed scheme seeks to defend flooding distributed denial-of-service (DDoS) attacks in the Internet. An easy, yet very disruptive, way to cause unfairness to the legitimate users is to deplete the network bandwidth by sending high rate unresponsive flows from multiple sources. The network congestion created by such malicious flows causes most legitimate packets to be dropped at routers without reaching their destinations. Congestion control in IP networks is typically done at each router through queue management, and the network is entirely dependent on the end hosts to react to congestion. However, when the network is under attacks which use packet floods, existing queue management algorithms reveal significant shortcomings in protecting legitimate flows. In this paper, we propose a novel scheme for congestion control in IP networks to defend against DDoS attacks. Our approach is a time-window based filtering mechanism, processed before a queue management policy is applied. Setting the window size properly, and dropping packets reaching into the next window, can catch the non-responsive nature of misbehaving flows. The performance of our proposed scheme is demonstrated through extensive simulations with the NS2 simulator, using a set of simulated traffic generated based on IP traces reported in http://www.nlnar.org.

Hyeong-Ah Choi | Hongsik Choi | Yen-Hung Hu

[1] Walter Willinger,et al. On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[2] Abhay Parekh,et al. A generalized processor sharing approach to flow control in integrated services networks: the single-node case , 1993, TNET.

[3] T. V. Lakshman,et al. SRED: stabilized RED , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[4] Robert Tappan Morris,et al. Dynamics of random early detection , 1997, SIGCOMM '97.

[5] Sally Floyd,et al. Promoting the use of end-to-end congestion control in the Internet , 1999, TNET.

[6] QUTdN QeO,et al. Random early detection gateways for congestion avoidance , 1993, TNET.

[7] Scott Shenker,et al. Core-stateless fair queueing: a scalable architecture to approximate fair bandwidth allocations in high-speed networks , 2003, TNET.

[8] Scott Shenker,et al. Analysis and simulation of a fair queueing algorithm , 1989, SIGCOMM '89.

[9] George Varghese,et al. Efficient fair queueing using deficit round-robin , 1996, TNET.

[10] David D. Clark,et al. Explicit allocation of best-effort packet delivery service , 1998, TNET.