Provider-based deterministic packet marking against distributed DoS attacks

Authors:
Vasilios A. Siris;Ilias Stavrakis
Affiliations:
Institute of Computer Science, Foundation for Research and Technology, Hellas (FORTH), P.O. Box 1385, GR 711 10 Heraklion, Crete, Greece;Institute of Computer Science, Foundation for Research and Technology, Hellas (FORTH), P.O. Box 1385, GR 711 10 Heraklion, Crete, Greece
Venue:
Journal of Network and Computer Applications
Year:
2007

Citing 13
Cited 2

Providing guaranteed services without per flow management

Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Mapping the Internet

Computer
SOS: secure overlay services

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Attacking DDoS at the Source

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
A practical method to counteract denial of service attacks

ACSC '03 Proceedings of the 26th Australasian computer science conference - Volume 16
Pi: A Path Identification Mechanism to Defend against DDoS Attacks

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
DDoS attacks and defense mechanisms: classification and state-of-the-art

Computer Networks: The International Journal of Computer and Telecommunications Networking
Over-Zealous Security Administrators Are Breaking the Internet

LISA '02 Proceedings of the 16th USENIX conference on System administration
Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

IPDPS '05 Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Workshop 17 - Volume 18
Active internet traffic filtering: real-time response to denial-of-service attacks

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference

Design of the host guard firewall for network protection

ISP'08 Proceedings of the 7th WSEAS international conference on Information security and privacy
Performance of IP-forwarding of Linux hosts with multiple network interfaces

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

One of the most serious security threats on the Internet are Distributed Denial of Service (DDoS) attacks, due to the significant service disruption they can create and the difficulty in preventing them. In this paper, we propose new deterministic packet marking models in order to characterize DDoS attack streams. Such a common characterization can be used to make filtering near the victim more effective. In this direction we propose a rate control scheme that protects destination domains by limiting the amount of traffic during an attack, while leaving a large percentage of legitimate traffic unaffected. The above features enable providers to offer enhanced security protection against such attacks as a value-added service to their customers, and hence offer positive incentives for them to deploy the proposed models. We evaluate the proposed marking models using a snapshot of the actual Internet topology, in terms of how well they differentiate attack traffic from legitimate traffic in cases of full and partial deployment.