scispace - formally typeset
Search or ask a question

Showing papers on "DDoS mitigation published in 2008"


Proceedings ArticleDOI
13 Apr 2008
TL;DR: This work introduces a formal statistical framework and derive a Bayes optimal packet classifier from it and proposes a practical algorithm that mitigates DDoS attacks near the victim and outperforms existing methods by at least 32% in terms of collateral damage.
Abstract: Distributed denial of service (DDoS) attacks are today the most destabilizing factor in the global internet and there is a strong need for sophisticated solutions. We introduce a formal statistical framework and derive a Bayes optimal packet classifier from it. Our proposed practical algorithm "adaptive history-based IP filtering" (AHIF) mitigates DDoS attacks near the victim and outperforms existing methods by at least 32% in terms of collateral damage. Furthermore, it adjusts to the strength of an ongoing attack and ensures availability of the attacked server. In contrast to other adaptive solutions, firewall rulesets used to resist an attack can be precalculated before an attack takes place. This ensures an immediate response in a DDoS emergency. For evaluation, simulated DDoS attacks and two real-world user traffic datasets are used.

26 citations


Journal ArticleDOI
TL;DR: This paper proposed an equality approach to deal with the traceback problem, called the edge sampling algorithm with probability distribution fairness (ESA-PDF), which reduces the convergence time of the conventional edge sampling algorithms.

19 citations


Proceedings ArticleDOI
09 Dec 2008
TL;DR: A simple high performance Linux kernel module nf-HiShape which is able to shape thousands of source IP addresses at different bandwidth limits even under high packet rates, comparable to Random Early Detection (RED) applied on every single source IP range.
Abstract: Distributed Denial of Service (DDoS) attack mitigation systems usually generate a list of filter rules in order to block malicious traffic. In contrast to this binary decision we suggest to use traffic shaping whereas the bandwidth limit is defined by the probability of a source to be a legal user. As a proof of concept, we implemented a simple high performance Linux kernel module nf-HiShape which is able to shape thousands of source IP addresses at different bandwidth limits even under high packet rates. Our shaping algorithm is comparable to Random Early Detection (RED) applied on every single source IP range. The evaluation shows, that our kernel module can handle up to 50,000 IP ranges at nearly constant throughput whereas Linux tc already decreases throughput at about 200 ranges.

9 citations


Book ChapterDOI
05 May 2008
TL;DR: This work proposes a system to defend against DDoS attacks in a non-cooperative environment, where upstream intermediate networks need to be given an economic incentive in order for them to cooperate in the attack mitigation.
Abstract: Distributed denial of service (DDoS) attacks have plagued the Internet for many years. We propose a system to defend against DDoS attacks in a non-cooperative environment, where upstream intermediate networks need to be given an economic incentive in order for them to cooperate in the attack mitigation. Lack of such incentives is a root cause for the rare deployment of distributed DDoS mitigation schemes. Our system is based on game-theoretic principles that provably provide incentives to each participating AS (Autonomous Systems) to report its true defense costs to the victim, which computes and compensates the most cost-efficient (yet still effective) set of defenders ASs. We also present simulation results with real AS-level topologies to demonstrate the economic feasibility of our approach.

6 citations


DOI
01 Jan 2008
TL;DR: It is found that, even when DDoS traffic isSelf-similar, detection is still possible and the traffic flow resulting from the superimposition of DDoS flow and legitimate traffic flow possesses a level of self-similarity that depends non-linearly on both relative traffic intensity and on the difference in self-Similarity between the two incoming flows.
Abstract: The river’s gentle roar comes from many quiet drops of water. —from Hermann Hesse’s Siddhartha. Distributed denial of service attacks (or DDoS) are a common occurrence on the internet and are becoming more intense as the bot-nets, used to launch them, grow bigger. Preventing or stopping DDoS is not possible without radically changing the internet infrastructure; various DDoS mitigation techniques have been devised with different degrees of success. All mitigation techniques share the need for a DDoS detection mechanism. DDoS detection based on traffic self-similarity estimation is a relatively new approach which is built on the notion that undisturbed network traffic displays fractal like properties. These fractal like properties are known to degrade in presence of abnormal traffic conditions like DDoS. Detection is possible by observing the changes in the level of self-similarity in the traffic flow at the target of the attack. Existing literature assumes that DDoS traffic lacks the self-similar properties of undisturbed traffic. We show how existing botnets could be used to generate a self-similar traffic flow and thus break such assumptions. We then study the implications of self-similar attack traffic on DDoS detection. We find that, even when DDoS traffic is self-similar, detection is still possible. We also find that the traffic flow resulting from the superimposition of DDoS flow and legitimate traffic flow possesses a level of self-similarity that depends non-linearly on both relative traffic intensity and on the difference in self-similarity between the two incoming flows. DDoS detection based on traffic self-similarity 1 / 100

4 citations


Proceedings ArticleDOI
13 Apr 2008
TL;DR: The design and implementation of Oboe is described, a run-time system for DM-MP platforms that addresses the above challenge through two foundations: category-specific management of shared state, and adaptive flow- level load distribution for addressing persistent processor overload.
Abstract: Sophisticated middlebox services-such as network monitoring and intrusion detection, DDoS mitigation, worm scanning, XML parsing and protocol transformation-are becoming increasingly popular in today's Internet. To support high- throughput, these services are often deployed on distributed memory, multi-processor (DM-MP) hardware platforms such as a cluster of network processors. Scaling the throughput of such platforms, however, is challenging because of the difficulties and overheads of accessing persistent, shared state maintained by the services. In this paper, we describe the design and implementation of Oboe, a run-time system for DM-MP platforms that addresses the above challenge through two foundations: (1) category-specific management of shared state, and (2) adaptive flow- level load distribution for addressing persistent processor overload. Our simulations demonstrate that Oboe can achieve performance within 0-5% of an ideal adaptive system. Our prototype implementation of Oboe on a cluster of IXP2400 network processors, demonstrates the scalability achieved with increasing number of processors, number of flows and state size.

4 citations


01 Jan 2008
TL;DR: A new system, Core Ingress Rate Limiting (CIRL), is presented, which attempts to address both of these problems by working in the context of a new internet architecture, eFIT, and borrowing some techniques from existing proposals.
Abstract: DDoS attacks have been a topic of research for some time, and a number of solutions have been proposed which address their prevention or mitigation. However, none of these proposed systems have been widely deployed, and as a result the internet at large remains susceptible to relatively simple, stealthy, and potent DDoS attacks. We conjecture that there are two related fundamental reasons that the proposed systems have not been widely deployed: many of the proposed systems require either large-scale deployment to be successful, or cannot be incrementally deployed, or both. In this paper, we present a new system, Core Ingress Rate Limiting (CIRL), which attempts to address both of these problems by working in the context of a new internet architecture, eFIT, and borrowing some techniques from existing proposals. eFIT is designed to solve a dierent problem in the internet, but its architecture provides useful facilities for CIRL and its incremental deployment could be used to ensure a wide deployment of CIRL thereby avoiding incremental deployability concerns.

1 citations