On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets-Reference-Cited by-同舟云学术

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Published:2001-10 Issue:4 Volume:31 Page:15-26
ISSN:0146-4833
Container-title:ACM SIGCOMM Computer Communication Review
language:en
Short-container-title:SIGCOMM Comput. Commun. Rev.

Author:

Park Kihong¹,Lee Heejo²

Affiliation:

1. Network Systems Lab, Department of Computer Sciences, Purdue University, West Lafayette, IN

2. Ahnlab, Inc., 8F V-Valley Bldg., 724 Suseo-Dong, Kangnam-Ku Seoul 135-744, Korea and Network Systems Lab, Department of Computer Sciences, Purdue University, West Lafayette, IN

Abstract

Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology.The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized---i.e., IP traceback---to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Networks and Communications,Software

Link

https://dl.acm.org/doi/pdf/10.1145/964723.383061

Reference31 articles.

1. G.Banga P.Druschel and J.Mogul.Resource containers:A new facility for resource management in server systems.In Proc.of the third USENIX/ACM Symp.on Operating Systems Design and Implementation (OSDI '99) pages 45-58 Feb.1999. G.Banga P.Druschel and J.Mogul.Resource containers:A new facility for resource management in server systems.In Proc.of the third USENIX/ACM Symp.on Operating Systems Design and Implementation (OSDI '99) pages 45-58 Feb.1999.

2. S.Bellovin.ICMPtraceback messages Mar.2000. Internet Draft:draft-bellovin-itrace-00.txt (expires September 2000). S.Bellovin.ICMPtraceback messages Mar.2000. Internet Draft:draft-bellovin-itrace-00.txt (expires September 2000).

3. H.Burch and B.Cheswick.Tracing anonymous packets to their approximate source.In 14th Systems Administration Conference (LISA 2000) pages 319-327 2000. H.Burch and B.Cheswick.Tracing anonymous packets to their approximate source.In 14th Systems Administration Conference (LISA 2000) pages 319-327 2000.

4. C.E.R.T.(CERT).CERT Advisory CA-2000-01 Denial-of-service developments Jan.2000. http://www.cert.org/advisories/CA-2000-01.html. C.E.R.T.(CERT).CERT Advisory CA-2000-01 Denial-of-service developments Jan.2000. http://www.cert.org/advisories/CA-2000-01.html.

5. CERT/CC S.Institute and CERIAS.Consensus roadmap for defeating distributed denial of service attacks Feb.2000.A Project of the Partnership for Critical Infrastructure Security http://www.sans.org/ddos roadmap.htm. CERT/CC S.Institute and CERIAS.Consensus roadmap for defeating distributed denial of service attacks Feb.2000.A Project of the Partnership for Critical Infrastructure Security http://www.sans.org/ddos roadmap.htm.

Cited by 123 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Toward Practical Inter-Domain Source Address Validation;IEEE/ACM Transactions on Networking;2024-08

2. WavingSketch: an unbiased and generic sketch for finding top-k items in data streams;The VLDB Journal;2024-07-29

3. DDD: A DNS-based DDoS Defense Scheme Using Puzzles;2024 33rd International Conference on Computer Communications and Networks (ICCCN);2024-07-29

4. A New Mitigation Method against DRDoS Attacks Using a Snort UDP Module in Low-Specification Fog Computing Environments;Electronics;2024-07-24

5. Prevention of DDoS attacks: a comprehensive review and future directions;Information Security Journal: A Global Perspective;2024-05-15