Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Analyzing large DDoS attacks using multiple data sources
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
WebClass: adding rigor to manual labeling of traffic anomalies
ACM SIGCOMM Computer Communication Review
The need for simulation in evaluating anomaly detectors
ACM SIGCOMM Computer Communication Review
A generic language for application-specific flow sampling
ACM SIGCOMM Computer Communication Review
CSAMP: a system for network-wide flow monitoring
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Wide-scale data stream management
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
ACM Transactions on Computer Systems (TOCS)
Modeling human behavior for defense against flash-crowd attacks
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Revisiting the case for a minimalist approach for network flow monitoring
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
dfence: transparent network-based denial of service mitigation
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Conflict on a communication channel
Proceedings of the 30th annual ACM SIGACT-SIGOPS symposium on Principles of distributed computing
Automating network monitoring on experimental testbeds
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
Collaborative anomaly-based detection of large-scale internet attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS defense
Journal of Computer Security
| Hi-index | 0.00 |
Many Denial of Service attacks use brute-force bandwidth flooding of intended victims. Such volume-based attacks aggregate at a target's access router, suggesting that (i) detection and mitigation are best done by providers in their networks; and (ii) attacks are most readily detectable at access routers, where their impact is strongest. In-network detection presents a tension between scalability and accuracy. Specifically, accuracy of detection dictates fine grained traffic monitoring, but performing such monitoring for the tens or hundreds of thousands of access interfaces in a large provider network presents serious scalability issues. We investigate the design space for in-network DDoS detection and propose a triggered, multi-stage approach that addresses both scalability and accuracy. Our contribution is the design and implementation of LADS (Large-scale Automated DDoS detection System). The attractiveness of this system lies in the fact that it makes use of data that is readily available to an ISP, namely, SNMP and Netflow feeds from routers, without dependence on proprietary hardware solutions. We report our experiences using LADS to detect DDoS attacks in a tier-1 ISP.