Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
An analysis of using reflectors for distributed denial-of-service attacks
ACM SIGCOMM Computer Communication Review
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Internet indirection infrastructure
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
An Economic Damage Model for Large-Scale Internet Attacks
WETICE '04 Proceedings of the 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation
IPDPS '05 Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Workshop 17 - Volume 18
A Framework for Rule Processing in Reconfigurable Network Systems
FCCM '05 Proceedings of the 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Mayday: distributed filtering for internet services
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
Protecting TCP services from denial of service attacks
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Computer Networks: The International Journal of Computer and Telecommunications Networking - Active networks
Journal of Network and Computer Applications
| Hi-index | 0.00 |
The frequency and intensity of Internet attacks are rising at an alarming pace. Several technologies and concepts were proposed for fighting distributed denial of service (DDoS) attacks: traceback, pushback, i3, SOS and Mayday. This paper shows that in the case of DDoS reflector attacks they are either ineffective or even counterproductive. We then propose the novel concept of traffic ownership and describe a system that extends control over network traffic by network users to the Internet using adaptive traffic processing devices. We safely delegate partial network management capabilities from network operators to network users. All network packets with a source or destination address ''owned'' by a network user can now also be controlled within the Internet instead of only at the network user's Internet uplink. By limiting the traffic control features and by restricting the realm of control to the ''owner'' of the traffic, we can rule out misuse of this system. Applications of our system are manifold: prevention of source address spoofing, DDoS attack mitigation, distributed firewall-like filtering, new ways of collecting traffic statistics, service-level agreement validation, traceback, distributed network debugging, support for forensic analyses and many more. A use case illustrates how our system enables network users to prevent and react to DDoS attacks.