Perimeter-Based Defense against High Bandwidth DDoS Attacks
Distributed denial of service (DDoS) is a major threat to the availability of Internet services. The anonymity allowed by IP networking, together with the distributed, large scale nature of the Internet, makes DDoS attacks stealthy and difficult to counter. To make the problem worse, attack traffic is often indistinguishable from normal traffic. As various attack tools become widely available and require minimum knowledge to operate, automated anti-DDoS systems become increasingly important. Many current solutions are either excessively expensive or require universal deployment across many administrative domains.
This paper proposes two perimeter-based defense mechanisms for Internet service providers (ISPs) to provide the anti-DDoS service to their customers. These mechanisms rely completely on the edge routers to cooperatively identify the flooding sources and establish rate-limit filters to block the attack traffic. The system does not require any support from routers outside or inside of the ISP, which not only makes it locally deployable, but also avoids the stress on the ISP core routers. We also study a new problem of perimeter-based IP traceback and provide three solutions. We demonstrate analytically and by simulations that the proposed defense mechanisms react quickly in blocking attack traffic while achieving high survival ratio for legitimate traffic. Even when 40 percent of all customer networks attack, the survival ratio for traffic from the other customer networks is still close to 100 percent.
This paper proposes a class of perimeter-based defense mechanisms, which allows Internet service providers (ISP) to provide an anti-DDoS service to its customers. The edge routers of an ISP form a perimeter separating the customer networks from the rest of the Internet.Our first, contribution is to study how to turn the ISP perimeter into a defense barrier against DDoS attacks. Depending on how the edge routers communicate with each other,
Present two defense mechanisms, DPM (defense perimeter based on multicast) and DPIT (defense perimeter based on IP traceback). Our second contribution is to design an IP traceback scheme that is deployed only along a perimeter to suit the perimeter-based defense solutions. This traceback scheme is more practical as it can be locally deployed; it is also more efficient than the existing ones as it specializes to the task of identifying the entry points instead of the paths of an DDoS attack. Our third contribution is to provide an evaluation framework to study the perimeter-based defense analytically and by simulations. Several performance metrics are proposed and studied.
The edge routers form a natural boundary between the ISP network and the rest of the Internet. This boundary, called the ISP perimeter, can be turned into a defense barrier against network intrusions. We proposed two perimeterbased defense mechanisms, DPM and DPIT, which mitigate DDoS attacks by blocking the flooding sources while allowing most legitimate traffic to reach the destination. To the best of our knowledge, this is also the first work that studied perimeter-based IP traceback and proposed three solutions. Our analysis and simulations demonstrated that DPM and DPIT selectively block out the attack traffic and quickly converge to the desirable rate. We also discussed how neighboring ISPs can cooperate to improve the performance.
GONE: an Infrastructure Overlay for Resilient, DoS-Limiting Networking
With today’s penetration in volume and variety of information flowing across the Internet, data and services are experiencing various issues with the TCP/IP infrastructure, most notably availability, reliability and mobility. Therefore, a critical infrastructure is highly desireable, in particular for multimedia streaming applications. So far the proposed approaches have focused on applying application-layer routing and path monitoring for reliability and on enforcing stateful packet filters in hosts or network to protect against Denial of Service (DoS) attacks. Each of them solves its own aspect of the problem, trading scalability for availability and reliability among a relatively small set of nodes, yet there is no single overall solution available which addresses these issues in a large scale.
We propose an alternative overlay network architecture by introducing a set of generic functions in network edges and end hosts. We conjecture that the network edge constitutes a major source of DoS, resilience and mobility issues to the network, and propose a new solution to this problem, namely the General Internet Signaling Transport (GIST) Overlay Networking Extension, or GONE. The basic idea of GONE is to create a half-permanent overlay mesh consisting of GONE-enabled edge routers, which employs capability-based DoS prevention and forwards endto- end user traffic using the GIST messaging associations.
GONE’s use of GIST on top of SCTP allows multi-homing, multi-streaming and partial reliability, while only a limited overhead for maintaining the messaging association is introduced. In addition, upon the services provided by GONE overlays, hosts are identified by their unique host identities independent of their topologies location, and simply require (de-)multiplexing instead of the traditional connection management and other complex functionality in the transport layer.
As a result, this approach offers a number of advantages for upper layer end-to-end applications, including intrinsic provisioning of resilience and DoS prevention in a dynamic and nomadic environment. In this paper, we presented GONE, an overlay architecture intended to be self-organized, scalable, DoS-limiting and robust wide-area infrastructure that efficiently routes traffic in the presence of path faults and node mobility. We showed how a GONE overlay network can be efficiently constructed and employ capability-based DoS prevention to enhance resilience and availability in dynamic and mobile environments. provide self-management, robustness, dynamic routing detection and recovery in the presence of failures and high load by lower layer functions.
Moreover, GONE provides a plausible solution for customizing the network edge, where most fancy functions such as peer-to-peer, VoIP or NAT traversal are located. This paper presents such a use for dynamic overlay routing that need to deliver messages across ISP networks in a location independent manner, using usually pre-established messaging associations and without centralized services. GONE does this, in part, by using HIP host identifiers, capability concepts, as well as soft state and reuse of standard common signaling component in the network edge to achieve both mobility and enhanced service availability and network resilience.