Article

dfence: transparent network-based denial of service mitigation

Authors:

Vitaly Shmatikov,

Yin ZhangAuthors Info & Claims

NSDI'07: Proceedings of the 4th USENIX conference on Networked systems design & implementation

Page 24

Published: 11 April 2007 Publication History

Abstract

Denial of service (DoS) attacks are a growing threat to the availability of Internet services. We present dFence, a novel network-based defense system for mitigating DoS attacks. The main thesis of dFence is complete transparency to the existing Internet infrastructure with no software modifications at either routers, or the end hosts. dFence dynamically introduces special-purpose middlebox devices into the data paths of the hosts under attack. By intercepting both directions of IP traffic (to and from attacked hosts) and applying stateful defense policies, dFence middleboxes effectively mitigate a broad range of spoofed and unspoofed attacks. We describe the architecture of the dFence middlebox, mechanisms for ondemand introduction and removal, and DoS mitigation policies, including defenses against DoS attacks on the middlebox itself. We evaluate our prototype implementation based on Intel IXP network processors.

References

[1]

S. Agarwal, T. Dawson, and C. Tryfonas. DDoS mitigation via regional cleaning centers. Sprint ATL Research Report RR04- ATL-013177, January 2004.

[2]

D. Andersen. Mayday: Distributed filtering for Internet services. In Proc. USITS, 2003.

Digital Library

[3]

ANML. DDoS attack tools. http://anml.iu.edu/ddos/ tools.html, 2001.

[4]

D. Bernstein. SYN cookies. http://cr.yp.to/ syncookies.html, 1996.

[5]

A. Broder and M. Mitzenmacher. Network applications of Bloom filters: A survey. Internet Mathematics, 1(4), 2004.

[6]

M. Casado, A. Akella, P. Cao, N. Provos, and S. Shenker. Cookies along trust-boundaries (CAT): Accurate and deployable flood protection. In Proc. SRUTI, 2006.

Digital Library

[7]

Cisco. Policy-based routing. http://www.cisco.com/ warp/public/732/Tech/plicy_wp.htm, 1996.

[8]

Cisco. Cisco Guard DDoS mitigation appliances. http:// www.cisco.com/en/US/products/ps5888/, 2007.

[9]

D. Dagon, C. Zou, and W. Lee. Modeling botnet propagation using time zones. In Proc. NDSS, 2006.

[10]

P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. http://www.faqs.org/rfcs/rfc2827. html, 2000.

[11]

P. Francis. Firebreak: An IP perimeter defense architecture. http://www.cs.cornell.edu/People/ francis/hotnets-firebreak-v7.pdf, 2004.

[12]

T. Gil and M. Poletto. MULTOPS: A data-structure for bandwidth attack detection. In Proc. USENIX Security, 2001.

Digital Library

[13]

M. Handley, E. Kohler, A. Ghosh, O. Hodson, and P. Radoslavov. Designing extensible IP router software. In Proc. NSDI, 2005.

Digital Library

[14]

Iperf. The TCP/UDP bandwidth measurement tool. http:// dast.nlanr.net/Projects/Iperf/, 2003.

[15]

IXIA. http://www.ixiacom.com, 2006.

[16]

S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-Sale: Surviving organized DDoS attacks that mimic flash crowds. In Proc. NSDI, 2005.

Digital Library

[17]

A. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proc. SIGCOMM, 2002.

Digital Library

[18]

Y. Kim, W. Lau, M. Chuah, and J. Chao. PacketScore: Statisticsbased overload control against distributed denial-of-service attacks. In Proc. INFOCOM, 2004.

[19]

R. Kokku, U. Shevade, N. Shah, A. Mahimkar, T. Cho, and H. Vin. Processor scheduler for multi-service routers. In Proc. RTSS, 2006.

Digital Library

[20]

J. Lemon. Resisting SYN flood DoS attacks with a SYN cache. In Proc. BSDCon, 2002.

Digital Library

[21]

R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. Controlling high bandwidth aggregates in the network. CCR, 32(3), 2002.

Digital Library

[22]

J. Mirkovic, G. Prier, and P. Reiher. Attacking DDoS at the source. In Proc. ICNP, 2002.

Digital Library

[23]

D. Mosberger and T. Jin. httperf: A tool for measuring web server performance. Performance Evaluation Review, 26(3), 1998.

Digital Library

[24]

D. Pappalardo and E. Messmer. Extortion via DDoS on the rise. Network World, May 16 2005.

[25]

K. Park and H. Lee. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In Proc. SIGCOMM, 2001.

Digital Library

[26]

Prolexic. The Prolexic Zombie Report. http://www. prolexic.com/zr/, 2007.

[27]

S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Network support for IP traceback. IEEE/ACM Trans. Netw., 9(3), 2001.

Digital Library

[28]

V. Sekar, N. Duffield, K. van der Merwe, O. Spatscheck, and H. Zhang. LADS: Large-scale automated DDoS detection system. In Proc. USENIX, 2006.

Digital Library

[29]

A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer. Hash-based IP traceback. In Proc. SIGCOMM, 2001.

Digital Library

[30]

I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana. Internet indirection infrastructure. In Proc. SIGCOMM, 2002.

Digital Library

[31]

M. Walfish, J. Stribling, M. Krohn, H. Balakrishnan, R. Morris, and S. Shenker. Middleboxes no longer considered harmful. In Proc. OSDI, 2004.

Digital Library

[32]

M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker. DDoS defense by offense. In Proc. SIGCOMM, 2006.

Digital Library

[33]

H. Wang, D. Zhang, and K. Shin. Detecting SYN flooding attacks. In Proc. INFOCOM, 2002.

[34]

Y. Xu and R. Guerin. On the robustness of router-based denialof-service (DoS) defense systems. CCR, 35(3), 2005.

Digital Library

[35]

A. Yaar, A. Perrig, and D. Song. Pi: A path identification mechanism to defend against DDoS attacks. In Proc. IEEE S&P, 2003.

Digital Library

[36]

A. Yaar, A. Perrig, and D. Song. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In Proc. IEEE S&P, 2004.

[37]

X. Yang, D. Wetherall, and T. Anderson. A DoS-limiting network architecture. In Proc. SIGCOMM, 2005.

Digital Library

[38]

D. Yau, J. Lui, F. Liang, and Y. Yam. Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. IEEE/ACM Trans. Netw., 13(1), 2005.

Digital Library

Cited By

Sahay RBlanc GZhang ZToumi KDebar HLacoste MRamos F(2017)Adaptive Policy-driven Attack Mitigation in SDNProceedings of the 1st International Workshop on Security and Dependability of Multi-Domain Infrastructures10.1145/3071064.3071068(1-6)Online publication date: 23-Apr-2017
https://dl.acm.org/doi/10.1145/3071064.3071068
Shin SYegneswaran VPorras PGu GSadeghi AGligor VYung M(2013)AVANT-GUARDProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516684(413-424)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516684
Potharaju RJain NPapagiannaki KGummadi KPartridge C(2013)Demystifying the dark side of the middleProceedings of the 2013 conference on Internet measurement conference10.1145/2504730.2504737(9-22)Online publication date: 23-Oct-2013
https://dl.acm.org/doi/10.1145/2504730.2504737
Show More Cited By

dfence: transparent network-based denial of service mitigation
1. Networks
  1. Network services

Recommendations

D-ward: source-end defense against distributed denial-of-service attacks
A Distributed Security Approach against ARP Cache Poisoning Attack
CySSS '22: Proceedings of the 1st Workshop on Cybersecurity and Social Sciences

The Address Resolution Protocol (ARP) has a critical function in the Internet protocol suite, however, it was not designed for security as it does not verify that a response to an ARP request really comes from an authorized party. This weak point in the ...
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

NSDI'07: Proceedings of the 4th USENIX conference on Networked systems design & implementation

April 2007

27 pages

Sponsors

VMware
Google Inc.
Microsoft Research: Microsoft Research
Intel: Intel
CISCO

Publisher

USENIX Association

United States

Publication History

Published: 11 April 2007

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sahay RBlanc GZhang ZToumi KDebar HLacoste MRamos F(2017)Adaptive Policy-driven Attack Mitigation in SDNProceedings of the 1st International Workshop on Security and Dependability of Multi-Domain Infrastructures10.1145/3071064.3071068(1-6)Online publication date: 23-Apr-2017
https://dl.acm.org/doi/10.1145/3071064.3071068
Shin SYegneswaran VPorras PGu GSadeghi AGligor VYung M(2013)AVANT-GUARDProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516684(413-424)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516684
Potharaju RJain NPapagiannaki KGummadi KPartridge C(2013)Demystifying the dark side of the middleProceedings of the 2013 conference on Internet measurement conference10.1145/2504730.2504737(9-22)Online publication date: 23-Oct-2013
https://dl.acm.org/doi/10.1145/2504730.2504737
Doron EWool A(2011)WDAComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2010.05.00155:5(1037-1051)Online publication date: 1-Apr-2011
https://dl.acm.org/doi/10.1016/j.comnet.2010.05.001
Liu XYang XXia Y(2010)NetFenceACM SIGCOMM Computer Communication Review10.1145/1851275.185121440:4(255-266)Online publication date: 30-Aug-2010
https://dl.acm.org/doi/10.1145/1851275.1851214
Liu XYang XXia YKalyanaraman SPadmanabhan VRamakrishnan KShorey RRamakrishnan KVoelker G(2010)NetFenceProceedings of the ACM SIGCOMM 2010 conference10.1145/1851182.1851214(255-266)Online publication date: 30-Aug-2010
https://dl.acm.org/doi/10.1145/1851182.1851214
Walfish MVutukuru MBalakrishnan HKarger DShenker S(2010)DDoS defense by offenseACM Transactions on Computer Systems10.1145/1731060.173106328:1(1-54)Online publication date: 4-Aug-2010
https://dl.acm.org/doi/10.1145/1731060.1731063
Clement AWong EAlvisi LDahlin MMarchetti MRexford JSirer E(2009)Making Byzantine fault tolerant systems tolerate Byzantine faultsProceedings of the 6th USENIX symposium on Networked systems design and implementation10.5555/1558977.1558988(153-168)Online publication date: 22-Apr-2009
https://dl.acm.org/doi/10.5555/1558977.1558988
Dixon CAnderson TKrishnamurthy A(2008)PhalanxProceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation10.5555/1387589.1387593(45-58)Online publication date: 16-Apr-2008
https://dl.acm.org/doi/10.5555/1387589.1387593
Liu XYang XLu YBahl VWetherall DSavage SStoica I(2008)To filter or to authorizeProceedings of the ACM SIGCOMM 2008 conference on Data communication10.1145/1402958.1402981(195-206)Online publication date: 17-Aug-2008
https://dl.acm.org/doi/10.1145/1402958.1402981
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten