Path attestation scheme to avert DDoS flood attacks

A Review of Constraint Programming

Abstract: A constraint is defined as a logical relation among several unknown quantities or variables, each taking a value in a given domain. Constraint Programming (CP) is an emergent field in operations research. Constraint programming is based on feasibility which means finding a feasible solution rather than optimization which means finding an optimal solution and focuses on the constraints and variables domain rather than the objective functions. While defining a set of constraints, this may seem a simple way to model a real-world problem but finding a good model that works well with a chosen solver is not that easy. A model could be very hard to solve if it is poorly chosen.

ROUTER BASED MECHANISM FOR MITIGATION OF DDoS ATTACK- A SURVEY

Abstract: Today most of the activities like trade, e-commerce are dependent on the availability of Internet. The growing use of internet services in the past few years have facilitated increase in distributed denial of service attack. Due to DDos attacks, caused by malicious hosts secured data communication over the internet is very difficult to achieve and is the need of the hour. DDos attacks are one of the most widely spread problems faced by most of the internet service providers (ISP’s). The work which had already been done was in the direction of detection, prevention and trace-back of DDos attack. Mitigation of these attacks has also gained an utmost importance in the present scenario. A number of techniques have been proposed by various researchers but those techniques produce high collateral Damage so more efforts are needed to be done in the area of mitigation of DDos attacks. This paper focuses on Distributed Denial of Service attack, surveys, classification and also proposed mitigation techniques revealed in literature by various researchers.

A taxonomy of DDoS attack and DDoS defense mechanisms

Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

Abstract: Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.

End-to-end routing behavior in the Internet

Abstract: The large-scale behavior of routing In the Internet has gone virtually without any formal study, the exceptions being Chinoy's (1993) analysis of the dynamics of Internet routing information, and work, similar in spirit, by Labovitz, Malan, and Jahanian (see Proc. SIGCOMM'97, 1997). We report on an analysis of 40000 end-to-end route measurements conducted using repeated "traceroutes" between 37 Internet sites. We analyze the routing behavior for pathological conditions, routing stability, and routing symmetry. For pathologies, we characterize the prevalence of routing loops, erroneous routing, infrastructure failures, and temporary outages. We find that the likelihood of encountering a major routing pathology more than doubled between the end of 1994 and the end of 1995, rising from 1.5% to 3.3%. For routing stability, we define two separate types of stability, "prevalence", meaning the overall likelihood that a particular route is encountered, and "persistence", the likelihood that a route remains unchanged over a long period of time. We find that Internet paths are heavily dominated by a single prevalent route, but that the time periods over which routes persist show wide variation, ranging from seconds up to days. About two-thirds of the Internet paths had routes persisting for either days or weeks. For routing symmetry, we look at the likelihood that a path through the Internet visits at least one different city in the two directions. At the end of 1995, this was the case half the time, and at least one different autonomous system was visited 30% of the time.

Implementing Pushback : Router-Based Defense Against DDoS Attacks

Abstract: Pushback is a mechanism for defending against distributed denial-of-service (DDoS) attacks. DDoS attacks are treated as a congestion-control problem, but because most such congestion is caused by malicious hosts not obeying traditional end-to-end congestion control, the problem must be handled by the routers. Functionality is added to each router to detect and preferentially drop packets that probably belong to an attack. Upstream routers are also notified to drop such packets (hence the term Pushback ) in order that the router’s resources be used to route legitimate traffic. In this paper we present an architecture for Pushback, its implementation under FreeBSD, and suggestions for how such a system can be implemented in core routers.

Pi: a path identification mechanism to defend against DDoS attacks

Abstract: Distributed denial of service (DDoS) attacks continue to plague the Internet Defense against these attacks is complicated by spoofed source IP addresses, which make it difficult to determine a packet's true origin We propose Pi (short for path identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing Pi features many unique properties It is a per-packet deterministic mechanism: each packet traveling along the same path carries the same identifier This allows the victim to take a proactive role in defending against a DDoS attack by using the Pi mark to filter out packets matching the attackers' identifiers on a per packet basis The Pi scheme performs well under large-scale DDoS attacks consisting of thousands of attackers, and is effective even when only half the routers in the Internet participate in packet marking Pi marking and filtering are both extremely lightweight and require negligible state We use traceroute maps of real Internet topologies (eg CAIDA's Skitter (2000) and Burch and Cheswick's Internet Map (1999, 2002)) to simulate DDoS attacks and validate our design