Random early detection gateways for congestion avoidance
IEEE/ACM Transactions on Networking (TON)
A measurement-based admission control algorithm for integrated service packet networks
IEEE/ACM Transactions on Networking (TON)
Explicit allocation of best-effort packet delivery service
IEEE/ACM Transactions on Networking (TON)
A framework for robust measurement-based admission control
IEEE/ACM Transactions on Networking (TON)
Deriving traffic demands for operational IP networks: methodology and experience
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Network support for IP traceback
IEEE/ACM Transactions on Networking (TON)
IEEE/ACM Transactions on Networking (TON)
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A system for authenticated policy-compliant routing
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
PRIMED: community-of-interest-based DDoS mitigation
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Analyzing large DDoS attacks using multiple data sources
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Detection and identification of network anomalies using sketch subspaces
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds
NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2
Traffic flow forecasting using a spatio-temporal Bayesian network predictor
ICANN'05 Proceedings of the 15th international conference on Artificial neural networks: formal models and their applications - Volume Part II
Proactive surge protection: a defense mechanism for bandwidth-based attacks
SS'08 Proceedings of the 17th conference on Security symposium
Communities of interest for internet traffic prioritization
INFOCOM'09 Proceedings of the 28th IEEE international conference on Computer Communications Workshops
| Hi-index | 0.00 |
Existing mechanisms for defending against distributed denial-of-service (DDoS) attacks are generally reactive in nature. However, the onset of large-scale bandwidth-based attacks can occur suddenly, potentially knocking out substantial parts of a network before reactive defenses can respond. Even for traffic flows that are not under direct attack, significant collateral damage will result if these flows pass through links that are common to attack routes. This paper presents a proactive-surge-protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. Our solution aims to minimize collateral damage by providing bandwidth isolation between traffic flows. This isolation is achieved through a combination of traffic forecasting, proportional allocation of network capacity, metering and tagging of packets at the network perimeter, and preferential dropping of packets inside the network. Our solution is readily deployable using existing router mechanisms. Simulations across three large backbone networks show that up to 95.5% of the network could suffer collateral damage without protection, but our solution was able to reduce the amount of collateral damage by 60.5-97.8%, even with a coarse-grained forecasting scheme.