Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Analysis of the autonomous system network topology
ACM SIGCOMM Computer Communication Review
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Simple Way to Estimate the Cost of Downtime
LISA '02 Proceedings of the 16th USENIX conference on System administration
Mayday: distributed filtering for internet services
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
A DoS-limiting network architecture
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Computer Networks: The International Journal of Computer and Telecommunications Networking - Active networks
LIPS: a lightweight permit system for packet source origin accountability
Computer Networks: The International Journal of Computer and Telecommunications Networking
Provider-based deterministic packet marking against distributed DoS attacks
Journal of Network and Computer Applications
An edge-to-edge filtering architecture against DoS
ACM SIGCOMM Computer Communication Review
Attrition defenses for a peer-to-peer digital preservation system
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Efficient and secure source authentication with packet passports
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Cookies along trust-boundaries (CAT): accurate and deployable flood protection
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Leveraging good intentions to reduce unwanted network traffic
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
An end-middle-end approach to connection establishment
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Keeping Denial-of-Service Attackers in the Dark
IEEE Transactions on Dependable and Secure Computing
AS-based accountability as a cost-effective DDoS defense
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
SRUTI'07 Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet
Packet forwarding with source verification
Computer Networks: The International Journal of Computer and Telecommunications Networking
Phalanx: withstanding multimillion-node botnets
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Passport: secure and adoptable source authentication
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Accountable internet protocol (aip)
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Distinguishing between FE and DDoS Using Randomness Check
ISC '08 Proceedings of the 11th international conference on Information Security
WSEAS TRANSACTIONS on COMMUNICATIONS
TVA: a DoS-limiting network architecture
IEEE/ACM Transactions on Networking (TON)
DDoS-shield: DDoS-resilient scheduling to counter application layer attacks
IEEE/ACM Transactions on Networking (TON)
Proactive surge protection: a defense mechanism for bandwidth-based attacks
IEEE/ACM Transactions on Networking (TON)
Real-time behaviour profiling for network monitoring
International Journal of Internet Protocol Technology
Protecting SIP against very large flooding DoS attacks
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
HTTP as the narrow waist of the future internet
Hotnets-IX Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
CloudPolice: taking access control out of the network
Hotnets-IX Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
Building extensible networks with rule-based forwarding
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
CluB: a cluster based framework for mitigating distributed denial of service attacks
Proceedings of the 2011 ACM Symposium on Applied Computing
A new active DDoS defense system based on automatic learning
ASIAN'05 Proceedings of the 10th Asian Computing Science conference on Advances in computer science: data management on the web
A novel rate limit algorithm against meek DDoS attacks
ATC'06 Proceedings of the Third international conference on Autonomic and Trusted Computing
Keeping denial-of-service attackers in the dark
DISC'05 Proceedings of the 19th international conference on Distributed Computing
LOT: A Defense Against IP Spoofing and Flooding Attacks
ACM Transactions on Information and System Security (TISSEC)
STRIDE: sanctuary trail -- refuge from internet DDoS entrapment
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
CoDef: collaborative defense against large-scale link-flooding attacks
Proceedings of the ninth ACM conference on Emerging networking experiments and technologies
High-performance capabilities for 1-hop containment of network attacks
IEEE/ACM Transactions on Networking (TON)
Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS defense
Journal of Computer Security
| Hi-index | 0.00 |
This paper describes Active Internet Traffic Filtering (AITF), a mechanism for blocking highly distributed denial-of-service (DDoS) attacks. These attacks are an acute contemporary problem, with few practical solutions available today; we describe in this paper the reasons why no effective DDoS filtering mechanism has been deployed yet. We show that the current Internet's routers have sufficient filtering resources to thwart such attacks, with the condition that attack traffic be blocked close to its sources; AITF leverages this observation. Our results demonstrate that AITF can block a million-flow attack within seconds, while it requires only tens of thousands of wire-speed filters per participating router -- an amount easily accommodated by today's routers. AITF can be deployed incrementally and yields benefits even to the very first adopters.