IEEE/ACM Transactions on Networking (TON)
Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Internet security attacks at the basic levels
ACM SIGOPS Operating Systems Review
Hop integrity in computer networks
ICNP '00 Proceedings of the 2000 International Conference on Network Protocols
Resource management in software-programmable router operating systems
IEEE Journal on Selected Areas in Communications
Distributed mechanism in detecting and defending against the low-rate TCP attack
Computer Networks: The International Journal of Computer and Telecommunications Networking
A self-aware approach to denial of service defence
Computer Networks: The International Journal of Computer and Telecommunications Networking
SEAL: A secure communication library for building dynamic group key agreement applications
Journal of Systems and Software
Defense against spoofed IP traffic using hop-count filtering
IEEE/ACM Transactions on Networking (TON)
A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks
IEEE Transactions on Parallel and Distributed Systems
Design, Analysis and Implementation of a Novel Multiple Resource Scheduler
IEEE Transactions on Computers
A Distributed Throttling Approach for Handling High Bandwidth Aggregates
IEEE Transactions on Parallel and Distributed Systems
Protecting bursty applications against traffic aggressiveness
Computer Networks: The International Journal of Computer and Telecommunications Networking
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
Network Security: Know It All: Know It All
Network Security: Know It All: Know It All
Proactive surge protection: a defense mechanism for bandwidth-based attacks
SS'08 Proceedings of the 17th conference on Security symposium
Towards behavioral control in multi-player network games
GameNets'09 Proceedings of the First ICST international conference on Game Theory for Networks
Proactive surge protection: a defense mechanism for bandwidth-based attacks
IEEE/ACM Transactions on Networking (TON)
The impact of dynamic adversarial attacks on the stability of heterogeneous multimedia networks
Computer Communications
Handling high-bandwidth traffic aggregates by receiver-driven feedback control
COMPSAC-W'05 Proceedings of the 29th annual international conference on Computer software and applications conference
Analysis of traffic correlation attacks on router queues
Computer Networks: The International Journal of Computer and Telecommunications Networking
dfence: transparent network-based denial of service mitigation
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Identity attack and anonymity protection for P2P-VoD systems
Proceedings of the Nineteenth International Workshop on Quality of Service
A new active DDoS defense system based on automatic learning
ASIAN'05 Proceedings of the 10th Asian Computing Science conference on Advances in computer science: data management on the web
A novel rate limit algorithm against meek DDoS attacks
ATC'06 Proceedings of the Third international conference on Autonomic and Trusted Computing
Users and services in intelligent networks
AINTEC'05 Proceedings of the First Asian Internet Engineering conference on Technologies for Advanced Heterogeneous Networks
DDoS defense mechanisms: a new taxonomy
DPM'09/SETOP'09 Proceedings of the 4th international workshop, and Second international conference on Data Privacy Management and Autonomous Spontaneous Security
Review: Analyzing well-known countermeasures against distributed denial of service attacks
Computer Communications
Adaptive selective verification: an efficient adaptive countermeasure to thwart DoS attacks
IEEE/ACM Transactions on Networking (TON)
Thwarting DDoS attacks in grid using information divergence
Future Generation Computer Systems
A survey of security issues in hardware virtualization
ACM Computing Surveys (CSUR)
| Hi-index | 0.01 |
Our work targets a network architecture and accompanying algorithms for countering distributed denial-of-service (DDoS) attacks directed at an Internet server. The basic mechanism is for a server under stress to install a router throttle at selected upstream routers. The throttle can be the leaky-bucket rate at which a router can forward packets destined for the server. Hence, before aggressive packets can converge to overwhelm the server, participating routers proactively regulate the contributing packet rates to more moderate levels, thus forestalling an impending attack. In allocating the server capacity among the routers, we propose a notion of level-k max-min fairness. We first present a control-theoretic model to evaluate algorithm convergence under a varitey of system parameters. In addition, we present packet network simulation results using a realistic global network topology, and various models of good user and attacker distributions and behavior. Using a generator model of web requests parameterized by empirical data, we also evaluate the impact of throttling in protecting user access to a web server. First, for aggressive attackers, the throttle mechanism is highly effective in preferentially dropping attacker traffic over good user traffic. In particular, level-k max-min fairness gives better good-user protection than recursive pushback of max-min fair rate limits proposed in the literature. Second, throttling can regulate the experienced server load to below its design limit - in the presence of user dynamics - so that the server can remain operational during a DDoS attack. Lastly, we present implementation results of our prototype on a Pentium III/866 MHz machine. The results show that router throttling has low deployment overhead in time and memory.