Attacking DDoS at the source
read more
Citations
A taxonomy of DDoS attack and DDoS defense mechanisms
A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks
Survey of network-based defense mechanisms countering the DoS and DDoS problems
DDoS attacks and defense mechanisms: classification and state-of-the-art
A framework for classifying denial of service attacks
References
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
Practical network support for IP traceback
EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets
Related Papers (5)
Frequently Asked Questions (19)
Q2. What have the authors stated for future works in "Attacking ddos at the source" ?
The authors briefly discuss them here and plan to investigate them in their future work. The authors plan to investigate the introduction of past-attack memory into the classification process. In their future work, the authors will investigate possibilities for communication between DWARD and the victim, and between several D-WARD systems with the goal of detecting more subtle UDP attacks. As discussed in Section 2. 2, the limited size of the connection hash table offers the possibility of poor service to legiti- mate connections that begin during the attack.
Q3. What is the cost of deploying D-WARD?
The cost of deploying D-WARD consists of the delay introduced by passing packets through the rate-limiting module, and the storage dedicated to the flow hash table and the connection hash table.
Q4. How fast do UDP attacks get detected?
In the case of attacks with gradually increasing rates, UDP attacks get detected more quickly than TCP attacks at lower attack rates.
Q5. How many Mbps of traffic does the network experience?
The network has approximately 800 machines and experiences an average of 5.5 Mbps (peak 20 Mbps) of outgoing traffic and 5.8 Mbps (peak 23 Mbps) of incoming traffic.
Q6. What is the lowest rate limit that can be imposed?
The lowest rate limit that can be imposed is defined by the S T6 M configuration parameter so that at least some packets can reach the destination and trigger a recovery phase.
Q7. What is the purpose of protocol and application scrubbing?
Protocol and application scrubbing [14] (typically applied at the entry point to a victim network) have been proposed to remove ambiguities from transport and application protocols.
Q8. What is the purpose of the observation component?
The observation component monitors all packets passing through the source router and gathers statistics on two-way communication between the police address set and the rest of the Internet.
Q9. How did the system perform with real traffic?
In order to test D-WARD’s performance with realistic traffic, the authors modified the system to read packet header data from a tcpdump-generated trace file instead of sniffing it from the network.
Q10. What could be the effect of a denial-of-service attack on the source network?
An attacker could perform a denial-of-service attack on the source network, preventing the response packets from reaching the D-WARD system.
Q11. What is the way to prevent attacks from originating from the source network?
A protocol scrubber could be installed at the exit point of the source network and thus prevent vulnerability-based attacks originating from this network.
Q12. What is the problem of regulating the sending rate of a one-way flow?
The problem of regulating the sending rate of a one-way flow to the level manageable by the receiver (or the route to the receiver) has been recog-nized and addressed by the TCP congestion control mechanism.
Q13. What is the maximum rate of attacks in ICMP?
Since all attacks are generated from a single machine, the maximum rate that can be generated in the ICMP attack case is lower than the maximum rate generated in the TCP and UDP case.
Q14. What is the rate limit for a flow that is classified as an attack?
When the flow is classified as an attack flow for the first time after a long period of normal activity, its rate is limited to a fraction of the offending sending rate.
Q15. What could be the effect of the rate limit on outgoing traffic?
Seeing the reduced number of response packets, D-WARD could reach the conclusion that the source network is generating a DDoS attack and place the rate limit on outgoing flows.
Q16. Why does the attack occur at a constant rate?
This is due to the sudden onset of the attack, which creates a sufficient disturbance in the network to be quickly detected and controlled.
Q17. What is the way to classify a connection as bad?
If the attacker attempts to smuggle an excess amount of traffic, the attack would be detected and the connection would be classified as bad.
Q18. What is the definition of a fast recovery phase?
After the flow has been rate-limited and classified ascompliant for @ > X VW@ : BA consecutive observation intervals, the fast-recovery phase is triggered.
Q19. What is the way to attack a D-WARD network?
This type of attack is possible, but it would require the attacker to gather twice the number of slave machines, half within the D-WARD network for the actual attack and half on the outside for spoofed reply generation.