Showing papers on "DDoS mitigation published in 2007"
26 Feb 2007
TL;DR: A dynamic algorithm based on the concept of fuzzy logic applied to hop-count filtering technique to mitigate distributed DoS is proposed.
Abstract: DoS is an attack which overwhelm victims servers and services. Distributed DoS attacks do not let legitimate users to access services provided by servers. Several techniques have been proposed to mitigate such attacks. Preventive techniques have proven their effectiveness. However, most of those techniques require historic data and training. We propose a dynamic algorithm based on the concept of fuzzy logic applied to hop-count filtering technique to mitigate distributed DoS. Very promising results of this technique is shown through this paper
10 citations
Proceedings Article•
14 Mar 2007TL;DR: A DDoS mitigation system based on Bloom filters, which has been prototyped in a Linux system and tested in the local laboratory, is shown to be capable of attenuating the effects of a typical DDoS attack and is able to mitigate a large number of disrupting traffic.
Abstract: Distributed denial of service (DDoS) is a serious threat to service availability that poses important concerns. Web-based organizations are under a great pressure to prevent, detect, react, and mitigate DDoS attacks which can lead to severe outages. The main contribution of this paper is a DDoS mitigation system based on Bloom filters, which has been prototyped in a Linux system and tested in our local laboratory. Our experiments show that our system is capable of attenuating the effects of a typical DDoS attack and is able to mitigate a large number of disrupting traffic.
4 citations
21 Jun 2007
TL;DR: Stateful Anycast is designed to support stateful sessions without losing anycast’s ability to defend against DDoS attacks, and employs a set of anycasted proxies to direct packets to the proper stateholder.
Abstract: Distributed denial-of-service (DDoS) attacks can easily cripple victim hosts or networks, yet effective defenses remain elusive. Normal anycast can be used to force the diffusion of attack traffic over a group of several hosts to increase the difficulty of saturating resources at or near any one of the hosts. However, because a packet sent to the anycast group may be delivered to any member, anycast does not support protocols that require a group member to maintain state (such as TCP). This makes anycast impractical for most applications of interest. This document describes the design of Stateful Anycast, a conceptual anycast-like network service based on IP anycast. Stateful Anycast is designed to support stateful sessions without losing anycast’s ability to defend against DDoS attacks. Stateful Anycast employs a set of anycasted proxies to direct packets to the proper stateholder. These proxies provide DDoS protection by dropping a session’s packets upon group member request. Stateful Anycast is incrementally deployable and can scale to support many groups. Thesis Supervisor: Karen R. Sollins Title: Principal Research Scientist
3 citations
18 Dec 2007
TL;DR: This tutorial will explain the extent of the problem, the tools used by the attackers, and problems with using routers, switches, firewalls and intrusion prevention systems to mitigate DDoS attacks.
Abstract: With BotNets proliferating around the world exponentially, Internet infrastructure which includes e-commerce infrastructure, financial infrastructure, critical infrastructure, national infrastructure, etc. can be easily overwhelmed by distributed denial of service (DDoS) attacks. Worms of Mass Destruction are used by criminals to spread terror and to destabilize infrastructure. With increasing dependence on Internet infrastructure for banking, e-commerce, telecom, utilities, and national security, it is therefore imperative that system architects understand the new threats and understand the mitigation tools and techniques available. This tutorial will explain the extent of the problem, the tools used by the attackers, and problems with using routers, switches, firewalls and intrusion prevention systems to mitigate DDoS attacks. This will be followed by a survey of specialized DDoS mitigation tools and techniques and their benefits in a vendor neutral manner. Current research in top universities centered on this area will be discussed along with trends in the attack patterns. To conclude, future research directions will be discussed so that the attendees get a complete picture.
01 Jan 2007
TL;DR: A DDoS mitigation architecture that protects legitimate traffic from the large volume of malicious packets during a DDoS bandwidth attack by keeping a legitimacy list and gives higher priority to those packets that are on the list.
Abstract: We propose a DDoS mitigation architecture that protects legitimate traffic from the large volume of malicious packets during a DDoS bandwidth attack. The system keeps a legitimacy list and gives higher priority to those packets that are on the list. The legitimacy list is kept up to date by keeping only the entries that complete the TCP three-way handshake and thus defeats IP spoofing. Entries in the list contain the IP address and the path signature of active TCP connections. A packet obtains high priority if its path signature strongly correlates with the corresponding path signature stored in the legitimacy list. We show that the scheme is efficient when deployed incrementally by using priority queuing at perimeter routers. An autonomous system (AS) can immediately benefit from our proposed system when deployed even if other ASs do not deploy it.