Data networks
A measurement-based admission control algorithm for integrated service packet networks
IEEE/ACM Transactions on Networking (TON)
Explicit allocation of best-effort packet delivery service
IEEE/ACM Transactions on Networking (TON)
A framework for robust measurement-based admission control
IEEE/ACM Transactions on Networking (TON)
Deriving traffic demands for operational IP networks: methodology and experience
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Network support for IP traceback
IEEE/ACM Transactions on Networking (TON)
The impact of multicast layering on network fairness
IEEE/ACM Transactions on Networking (TON)
IEEE/ACM Transactions on Networking (TON)
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Estimating flow distributions from sampled flow statistics
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
A system for authenticated policy-compliant routing
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE/ACM Transactions on Networking (TON)
PRIMED: community-of-interest-based DDoS mitigation
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Detection and identification of network anomalies using sketch subspaces
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Active internet traffic filtering: real-time response to denial-of-service attacks
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Using routing and tunneling to combat DoS attacks
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Portcullis: protecting connection setup from denial-of-capability attacks
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
A unified framework for max-min and min-max fairness with applications
IEEE/ACM Transactions on Networking (TON)
Proactive surge protection: a defense mechanism for bandwidth-based attacks
SS'08 Proceedings of the 17th conference on Security symposium
On max-min fair congestion control for multicast ABR service in ATM
IEEE Journal on Selected Areas in Communications
Classification of UDP traffic for DDoS detection
LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
| Hi-index | 0.00 |
Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic that is not under direct attack can suffer significant collateral damage if the traffic passes through links that are common to attack routes. This paper presents a Proactive Surge Protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. The approach aims to minimize collateral damage by providing bandwidth isolation between traffic flows. The proposed solution is readily deployable using existing router mechanisms and does not rely on any unauthenticated packet header information. Our extensive evaluation across two large commercial backbone networks, using both distributed and targeted attacks, shows that up to 95.5% of the network could suffer collateral damage, but our solution was able to significantly reduce the amount of collateral damage by up to 97.58% in terms of the number of packets dropped and 90.36% in terms of the number of flows with packet loss. Further, we show that PSP can maintain low packet loss rates even when the intensity of attacks is increased significantly.