Data networks
A measurement-based admission control algorithm for integrated service packet networks
IEEE/ACM Transactions on Networking (TON)
Explicit allocation of best-effort packet delivery service
IEEE/ACM Transactions on Networking (TON)
A framework for robust measurement-based admission control
IEEE/ACM Transactions on Networking (TON)
Deriving traffic demands for operational IP networks: methodology and experience
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Network support for IP traceback
IEEE/ACM Transactions on Networking (TON)
The impact of multicast layering on network fairness
IEEE/ACM Transactions on Networking (TON)
IEEE/ACM Transactions on Networking (TON)
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Estimating flow distributions from sampled flow statistics
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Controlling High-Bandwidth Flows at the Congested Router
ICNP '01 Proceedings of the Ninth International Conference on Network Protocols
A system for authenticated policy-compliant routing
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE/ACM Transactions on Networking (TON)
On the robustness of router-based denial-of-service (DoS) defense systems
ACM SIGCOMM Computer Communication Review
PRIMED: community-of-interest-based DDoS mitigation
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Detection and identification of network anomalies using sketch subspaces
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds
NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2
A unified framework for max-min and min-max fairness with applications
IEEE/ACM Transactions on Networking (TON)
Minimizing collateral damage by proactive surge protection
Proceedings of the 2007 workshop on Large scale attack defense
On max-min fair congestion control for multicast ABR service in ATM
IEEE Journal on Selected Areas in Communications
Proactive surge protection: a defense mechanism for bandwidth-based attacks
IEEE/ACM Transactions on Networking (TON)
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Survey Paper: A survey on the communication architectures in smart grid
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic flows that are not under direct attack can suffer significant collateral damage if these flows pass through links that are common to attack routes. Given the existence today of large botnets with more than a hundred thousand bots, the potential for a large-scale coordinated attack exists, especially given the prevalence of high-speed Internet access. This paper presents a Proactive Surge Protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. The approach aims to minimize collateral damage by providing bandwidth isolation between traffic flows. This isolation is achieved through a combination of traffic measurements, bandwidth allocation of network resources, metering and tagging of packets at the network perimeter, and preferential dropping of packets inside the network. The proposed solution is readily deployable using existing router mechanisms and does not rely on any unauthenticated packet header information. Thus the approach is resilient to evading attack schemes that launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers. Finally, our extensive evaluation results across two large commercial backbone networks, using both distributed and targeted attack scenarios, show that up to 95.5% of the network could suffer collateral damage without protection, but our solution was able to significantly reduce the amount of collateral damage by up to 97.58% in terms of the number of packets dropped and 90.36% in terms of the number of flows with packet loss. Furthermore, we show that PSP can maintain low packet loss rates even when the intensity of attacks is increased significantly.