End-to-end routing behavior in the Internet
IEEE/ACM Transactions on Networking (TON)
Defending against denial of service attacks in Scout
OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
An analysis of using reflectors for distributed denial-of-service attacks
ACM SIGCOMM Computer Communication Review
Computer Networks
Efficient packet marking for large-scale IP traceback
Proceedings of the 9th ACM conference on Computer and communications security
Measuring ISP topologies with rocketfuel
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
A Formal Framework and Evaluation Method for Network Denial of Service
CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
A Path Information Caching and Aggregation Approach to Traffic Source Identification
ICDCS '03 Proceedings of the 23rd International Conference on Distributed Computing Systems
A framework for classifying denial of service attacks
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Hop-count filtering: an effective defense against spoofed DDoS traffic
Proceedings of the 10th ACM conference on Computer and communications security
A Novel Packet Marking Scheme for IP Traceback
ICPADS '04 Proceedings of the Parallel and Distributed Systems, Tenth International Conference
Tracing Anonymous Packets to Their Approximate Source
LISA '00 Proceedings of the 14th USENIX conference on System administration
Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks
IEEE Transactions on Parallel and Distributed Systems
Detecting latent attack behavior from aggregated Web traffic
Computer Communications
Hi-index | 0.24 |
Reflector based DDoS attacks are feasible in variety of request/reply based protocols including TCP, UDP, ICMP, and DNS. To mitigate these attacks, we advocate the concept of victim assistance and use it in the context of a novel scheme called pairing based filtering (PF). The main idea of the PF scheme is to validate incoming reply packets by pairing them, in a distributed manner, with the corresponding request packets. This pairing is performed at the edge routers of the ISP perimeter that contains the victim rather than at the edge router to which the victim is directly connected, leading to protection from bandwidth exhaustion attacks in addition to the protection from victim's resource exhaustion attacks. We evaluate the proposed scheme through analytical studies using two performance metrics, namely, the probability of allowing an attack packet into the ISP network, and the probability of filtering a legitimate packet. Our analysis shows that the proposed scheme offers a high filtering rate for attack traffic, while causing negligible collateral damage to legitimate traffic.