Hierarchical packet fair queueing algorithms
IEEE/ACM Transactions on Networking (TON)
ACM Transactions on Computer Systems (TOCS)
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
Software-optimized universal hashing and message authentication
Software-optimized universal hashing and message authentication
Countering DoS attacks with stateless multipath overlays
Proceedings of the 12th ACM conference on Computer and communications security
Understanding the network-level behavior of spammers
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Leveraging good intentions to reduce unwanted network traffic
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Centertrack: an IP overlay network for tracking DoS floods
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Portcullis: protecting connection setup from denial-of-capability attacks
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Phalanx: withstanding multimillion-node botnets
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Passport: secure and adoptable source authentication
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
TVA: a DoS-limiting network architecture
IEEE/ACM Transactions on Networking (TON)
Scalable network-layer defense against internet bandwidth-flooding attacks
IEEE/ACM Transactions on Networking (TON)
dfence: transparent network-based denial of service mitigation
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
SOS: an architecture for mitigating DDoS attacks
IEEE Journal on Selected Areas in Communications
Impact of IT monoculture on behavioral end host intrusion detection
Proceedings of the 1st ACM workshop on Research on enterprise networking
Request diversion: a novel mechanism to counter P2P based DDoS attacks
International Journal of Internet Protocol Technology
NetFence: preventing internet denial of service from inside out
Proceedings of the ACM SIGCOMM 2010 conference
Tiered incentives for integrity based queuing
Proceedings of the 2010 Workshop on Economics of Networks, Systems, and Computation
Building extensible networks with rule-based forwarding
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Bootstrapping accountability in the internet we have
Proceedings of the 8th USENIX conference on Networked systems design and implementation
CluB: a cluster based framework for mitigating distributed denial of service attacks
Proceedings of the 2011 ACM Symposium on Applied Computing
ACM SIGCOMM Computer Communication Review
Efficient defence against misbehaving TCP receiver DoS attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Verifying and enforcing network paths with icing
Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies
On building inexpensive network capabilities
ACM SIGCOMM Computer Communication Review
Classification of UDP traffic for DDoS detection
LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
How well can congestion pricing neutralize denial of service attacks?
Proceedings of the 12th ACM SIGMETRICS/PERFORMANCE joint international conference on Measurement and Modeling of Computer Systems
Optimal source-based filtering of malicious traffic
IEEE/ACM Transactions on Networking (TON)
Proceedings of the International Conference on Advances in Computing, Communications and Informatics
Adaptive selective verification: an efficient adaptive countermeasure to thwart DoS attacks
IEEE/ACM Transactions on Networking (TON)
MobilityFirst: a robust and trustworthy mobility-centric architecture for the future internet
ACM SIGMOBILE Mobile Computing and Communications Review
STRIDE: sanctuary trail -- refuge from internet DDoS entrapment
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
PacketCloud: an open platform for elastic in-network services
Proceedings of the eighth ACM international workshop on Mobility in the evolving internet architecture
Detecting denial of service by modelling web-server behaviour
Computers and Electrical Engineering
Source address filtering for large scale networks
Computer Communications
Capability-Based Defenses Against DoS Attacks in Multi-path MANET Communications
Wireless Personal Communications: An International Journal
Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS defense
Journal of Computer Security
| Hi-index | 0.00 |
This paper presents the design and implementation of a filter-based DoS defense system (StopIt) and a comparison study on the effectiveness of filters and capabilities. Central to the StopIt design is a novel closed-control, open-service architecture: any receiver can use StopIt to block the undesired traffic it receives, yet the design is robust to various strategic attacks from millions of bots, including filter exhaustion attacks and bandwidth flooding attacks that aim to disrupt the timely installation of filters. Our evaluation shows that StopIt can block the attack traffic from a few millions of attackers within tens of minutes with bounded router memory. We compare StopIt with existing filter-based and capability-based DoS defense systems under simulated DoS attacks of various types and scales. Our results show that StopIt outperforms existing filter-based systems, and can prevent legitimate communications from being disrupted by various DoS flooding attacks. It also outperforms capability-based systems in most attack scenarios, but a capability-based system is more effective in a type of attack that the attack traffic does not reach a victim, but congests a link shared by the victim. These results suggest that both filters and capabilities are highly effective DoS defense mechanisms, but neither is more effective than the other in all types of DoS attacks.