Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation

Authors:
Thomas Dubendorfer;Matthias Bossardt;Bernhard Plattner
Affiliations:
Swiss Federal Institute of Technology, ETH Zurich;Swiss Federal Institute of Technology, ETH Zurich;Swiss Federal Institute of Technology, ETH Zurich
Venue:
IPDPS '05 Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Workshop 17 - Volume 18
Year:
2005

Citing 12
Cited 1

Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
The click modular router

ACM Transactions on Computer Systems (TOCS)
End-to-end arguments in system design

ACM Transactions on Computer Systems (TOCS)
Hash-based IP traceback

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
An analysis of using reflectors for distributed denial-of-service attacks

ACM SIGCOMM Computer Communication Review
Controlling high bandwidth aggregates in the network

ACM SIGCOMM Computer Communication Review
Pi: A Path Identification Mechanism to Defend against DDoS Attacks

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Inside the Slammer Worm

IEEE Security and Privacy
An Economic Damage Model for Large-Scale Internet Attacks

WETICE '04 Proceedings of the 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
Mayday: distributed filtering for internet services

USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
Commentaries on “Active networking and end-to-end arguments”

IEEE Network: The Magazine of Global Internetworking

Enhanced Internet security by a distributed traffic control service based on traffic ownership

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Frequency and intensity of Internet attacks are rising with an alarming pace. Several technologies and concepts were proposed for fighting distributed denial of service (DDoS) attacks: traceback, pushback, i3, SOS and Mayday. This paper shows that in the case of DDoS reflector attacks they are either ineffective or even counterproductive. We then propose a novel concept and system that extends the control over network traffic by network users to the Internet using adaptive traffic processing devices. We safely delegate partial network management capabilities from network operators to network users. All network packets with a source or destination address owned by a network user can now also be controlled within the Internet instead of only at the network user's Internet uplink. By limiting the traffic control features and by restricting the realm of control to the "owner" of the traffic, we can rule out misuse of this system. Applications of our system are manifold: prevention of source address spoofing, DDoS attack mitigation, distributed firewall-like filtering, new ways of collecting traffic statistics, traceback, distributed network debugging, support for forensic analyses and many more.