skip to main content
article

Scalable multicast based filtering and tracing framework for defeating distributed DoS attacks

Published: 01 January 2005 Publication History

Abstract

In this paper we present a distributed scalable framework to support on- demand filtering and tracing services for defeating distributed denial of service attacks. Our filtering mechanism is designed to quickly identify a set of boundary filter locations so that attack packets might be dropped as close as possible to their origin(s). We argue that precisely identifying the origins of an attack is not achievable when there is only a partial deployment of tracing nodes--as is likely to be the case in practice. Thus we present a tracing mechanism which can identify sets of candidate nodes containing attack origins. Both mechanisms leverage multicasting services to achieve scalable, responsive and robust operation, and operate with a partial and incremental deployment.Performance evaluations of proposed approaches on both real and synthetic topologies show that a small coverage of filtering and tracing components throughout a network can be effective at blocking and localizing attacks.

References

[1]
1. Computer Emergency Response Team, 'CERT advisory ca-2000-01 denial-of-service developments,' http://www.cert.org/advisories/CA-2000- 01.html.]]
[2]
2. Ferguson P, Senie D. Network ingress filtering: Defeating Denial of Service attacks which employ IP source address spoofing, RFC 2267, http://www.ietf.org/rfc, Jan. 1998.]]
[3]
3. Park K, Lee H. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets, in Proc. ACM SIGCOMM, 2001.]]
[4]
4. Cisco Corporation, Characterizing and tracing packet floods using Cisco routers, www.cisco. com/warp/public/707/22.pdf.]]
[5]
5. Wang H, Bose A, El-Gendy M, Shin KG. IP easy- pass: Edge resource access control, in Proc. IEEE Infocom, 2004.]]
[6]
6. Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Kent ST, Strayer WT. Hash-based IP traceback, in Proc. ACM SIGCOMM, 2001.]]
[7]
7. Sung M, Xu J. IP traceback-based intelligent packet filtering: A novel technique for defending against Internet DDoS attacks, in IEEE International Conference on Network Protocols, 2002.]]
[8]
8. IETF secure multicast group, http://www. securemulticast.org.]]
[9]
9. Canetti R, Garay J, Itkis G, Micciancio D, Naor M, Pinkas B. Multicast security: A taxonomy and efficient constructions, in Proc. IEEE Infocom, 1999.]]
[10]
10. Li J, Reiher P, Popek G. Resilient self-organizing overlay networks for security update delivery. IEEE Journal on Selected Areas in Communications 2004.]]
[11]
11. Savage S, Wetherall D, Karlin A, Anderson T. Practical network support for IP traceback, in Proc. ACM SIGCOMM, 2000.]]
[12]
12. Song DX, Perrig A. Advanced and authenticated marking schemes for IP traceback, in Proc. IEEE Infocom, 2001.]]
[13]
13. Skitter, http: //www.caida.org/tools/ measurement/skitter/.]]
[14]
14. Internet mapping, http://cm.bell-labs.com/ who/ches/map/dbs/index.html/, 1999.]]
[15]
15. Krishnan P, Raz D, Shavitt Y. The cache location problem, IEEE/ACM Transactions on Networking 2000; 8:]]
[16]
16. Zegura EW, Calvert KL, Bhattacharjee S. How to model an Internet, in Proc. IEEE Infocom, 1996.]]
[17]
17. Li B, Golin MJ, Ialiano GF, Deng X. On the optimal placement of web proxies in the Internet, in Proc. IEEE Infocom, 1999.]]
[18]
18. Mahajan R, Bellovin SM, Floyd S, Ioannidis J, Paxson V, Shenker S. Controlling high bandwidth aggregates in the network, in http://www. aciri.org/pushback/pushback-toCCR.ps, submitted to CCR, July 2001.]]
[19]
19. Sager G. Security fun with OCxmon and cflowd, in Internet 2 Working Group Meeting, Nov. 1998, http://www.caida.org/projects/NGI/content/ security/1198.]]
[20]
20. Stallings W, SNMP, SNMP v2, SNMP v3 and RMON 1 and 2(Third Edition), Addison-Wesley, Inc., 1999.]]
[21]
21. Deering SE. Multicast Routing in a Datagram Internetwork, PhD. thesis, Stanford University, 1991.]]
[22]
22. Ballardie T, Francis P, Crowcroft J, Core based trees(CBT): An architecture for scalable interdomain multicast routing, in Proc. ACM SIGCOMM, 1993.]]
[23]
23. Estrin D, Farinacci D, Helmy A, Thaler D, Deering S, Handley M, Jacobson V, Liu C, Sharma P, Wei L. Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification, RFC 2362, http://www.ietf.org/rfc, June, 1998.]]
[24]
24. Thaler D, Estrin D, Meyer D. Border gateway multicast protocol (BGMP): Protocol specification, IETF draft, draft-ietf-bgmp-spec-01.txt, Mar. 2000.]]
[25]
25. Francis P. Yoid: Extending the Internet multicast architecture, in Tech. reports, ACIRI, http://www.aciri.org/yoid, 2000.]]
[26]
26. Chawathe Y. Scattercast: An architecture for Internet broadcast distribution as an infrastructure service, PhD. thesis, University of California, Berkeley, 2000.]]
[27]
27. Jannotti J, Gifford D, Johnson K, Kasshoek F, O'Toole J. Overcast: Reliable multicasting with an overlay network, in USENIX OSDI, 2000.]]
[28]
28. Chu Y, Rao S, Seshan S, Zhang H. Enabling conferencing applications on the Internet using an overlay multicast architecture, in Proc. ACM SIGCOMM, 2001.]]
[29]
29. Pendarakis D, Shi S, Verma D, Waldvogel M. ALMI: an application level multicast infrastructure, in 3rd USENIX Symposium on Internet Technologies and Systems (USITS), 2001.]]
[30]
30. Ratnasamy S, Francis P, Handley M, Karp R, Shenker S. A scalable content-addressable network, in Proc. ACM SIGCOMM, 2001.]]
[31]
31. Zhao B, Kubiatowicz J, Joseph A. Tapestry: An infrastructure for fault resilient wide-area location and routing, in Tech. Report. UCB//CSD-01-1141, U. C. Berkeley, 2001.]]
[32]
32. Ratnasamy S, Handley M, Karp R, Shenker S. Application-level multicast using content- addressable networks, in Proc. of Networked Group Communication (NGC), 2001.]]
[33]
33. Geng X, Whinston AB. Defeating distributed denial of service attacks, in IT Pro, July 2000.]]
[34]
34. Banga G, Druschel P, Mogul J, Resource containers: A new facility for resource management in server systems, in Proc. of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation, Feb. 1999.]]
[35]
35. Spatscheck O, Peterson L. Defending against denial of service attacks in Scout, in Proc. of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation, Feb. 1999.]]
[36]
36. Wang H, Zhang D, Shin KG. Detecting SYN flooding attacks, in Proc. IEEE Infocom, 2002.]]
[37]
37. Bellovin SM. ICMP traceback messages, IETF draft, draft-bellovin-itrace-05.txt, Mar. 2000.]]
[38]
38. Wu SF, Zhang L, Massey D, Mankin A. Intention- driven ICMP trace-back, IETF draft, draft-wu-itrace- 00.txt, Feb. 2001.]]
[39]
39. Park K, Lee H. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack, in Proc. IEEE Infocom, 2001.]]
[40]
40. Schnackenberg D, Djahandari K, Sterne D. Infrastructure for intrusion detection and response, in Proc. First DARPA Information Survivability Conference and Exposition, 2000.]]
[41]
41. Duffield NG, Grossglauser M. Trajectory sampling for direct traffic observation, IEEE/ACM Transactions on Networking, 2001; 9(4):280-292.]]

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image International Journal of Network Management
International Journal of Network Management  Volume 15, Issue 1
January 2005
69 pages

Publisher

John Wiley & Sons, Inc.

United States

Publication History

Published: 01 January 2005

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 25 Dec 2024

Other Metrics

Citations

Cited By

View all

View Options

View options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media