Intelligent DDoS packet filtering in high-speed networks

Authors:
Yang Xiang;Wanlei Zhou
Affiliations:
School of Information Technology, Deakin University, Burwood, Australia;School of Information Technology, Deakin University, Burwood, Australia
Venue:
ISPA'05 Proceedings of the Third international conference on Parallel and Distributed Processing and Applications
Year:
2005

Citing 17
Cited 1

Random early detection gateways for congestion avoidance

IEEE/ACM Transactions on Networking (TON)
Neural networks (2nd ed.): an introduction

Neural networks (2nd ed.): an introduction
High-speed policy-based packet forwarding using efficient multi-dimensional range matching

Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Packet classification using tuple space search

Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Packet classification on multiple fields

Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Inside Risks: denial-of-service attacks

Communications of the ACM
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Neural Networks: A Comprehensive Foundation

Neural Networks: A Comprehensive Foundation
Controlling high bandwidth aggregates in the network

ACM SIGCOMM Computer Communication Review
Denial-of-Service Attacks Rip the Internet

Computer
Classifying Packets with Hierarchical Intelligent Cuttings

IEEE Micro
A Simulation Study of the Proactive Server Roaming for Mitigating Denial of Service Attacks

ANSS '03 Proceedings of the 36th annual symposium on Simulation
Pi: A Path Identification Mechanism to Defend against DDoS Attacks

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
IP Traceback: A New Denial-of-Service Deterrent?

IEEE Security and Privacy
Hop-count filtering: an effective defense against spoofed DDoS traffic

Proceedings of the 10th ACM conference on Computer and communications security
Algorithms for packet classification

IEEE Network: The Magazine of Global Internetworking
Congestion control mechanisms and the best effort service model

IEEE Network: The Magazine of Global Internetworking

Research on the Detection of Distributed Denial of Service Attacks Based on the Characteristics of IP Flow

NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing

Quantified Score

Hi-index	0.00

Visualization

Abstract

Currently high-speed networks have been attacked by successive waves of Distributed Denial of Service (DDoS) attacks. There are two major challenges on DDoS defense in the high-speed networks. One is to sensitively and accurately detect attack traffic, and the other is to filter out the attack traffic quickly, which mainly depends on high-speed packet classification. Unfortunately most current defense approaches can not efficiently detect and quickly filter out attack traffic. Our approach is to find the network anomalies by using neural network, deploy the system at distributed routers, identify the attack packets, and then filter them quickly by a Bloom filter-based classifier. The evaluation results show that this approach can be used to defend against both intensive and subtle DDoS attacks, and can catch DDoS attacks’ characteristic of starting from multiple sources to a single victim. The simple complexity, high classification speed and low storage requirements make it especially suitable for DDoS defense in high-speed networks.