Article

Free access

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Authors:

Heejo LeeAuthors Info & Claims

SIGCOMM '01: Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications

Pages 15 - 26

https://doi.org/10.1145/383059.383061

Published: 27 August 2001 Publication History

Abstract

Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology.The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized---i.e., IP traceback---to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.

References

[1]

G.Banga,P.Druschel,and J.Mogul.Resource containers:A new facility for resource management in server systems.In Proc.of the third USENIX/ACM Symp.on Operating Systems Design and Implementation (OSDI '99),pages 45-58,Feb.1999.

Digital Library

[2]

S.Bellovin.ICMPtraceback messages,Mar.2000. Internet Draft:draft-bellovin-itrace-00.txt (expires September 2000).

[3]

H.Burch and B.Cheswick.Tracing anonymous packets to their approximate source.In 14th Systems Administration Conference (LISA 2000),pages 319-327,2000.

Digital Library

[4]

C.E.R.T.(CERT).CERT Advisory CA-2000-01 Denial-of-service developments,Jan.2000. http://www.cert.org/advisories/CA-2000-01.html.

[5]

CERT/CC,S.Institute,and CERIAS.Consensus roadmap for defeating distributed denial of service attacks,Feb.2000.A Project of the Partnership for Critical Infrastructure Security, http://www.sans.org/ddos roadmap.htm.

[6]

M.Faloutsos,P.Faloutsos,and C.Faloutsos.On power-law relationships of the Internet topology.In Proc.of ACM SIGCOMM,pages 251-262,1999.

Digital Library

[7]

P.Ferguson and D.Senie.Network ingress .ltering: Defeating denial of service attacks which employ IP source address spoo .ng,May 2000.RFC 2827.

Digital Library

[8]

L.Garber.Denial-of-service attacks rip the Internet. Computer,pages 12-17,Apr.2000.

Digital Library

[9]

M.Garey and D.Johnson.Computers and Intractability:A Guide to the Theory of NP-Completeness .W.H.Freeman and Company, 1979.

Digital Library

[10]

R.Govindan and A.Reddy.An analysis of Internet inter-domain topology and route stability.In Proc. IEEE INFOCOM '97,1997.

Digital Library

[11]

J.Howard.An Analysis of Security Incidents on the Internet .PhD thesis,Carnegie Mellon Univerisity, Aug.1998.

Digital Library

[12]

C.Jin,Q.Chen,and S.Jamin.Inet:Internet Topology Generator.Technical Report CSE-TR-443-00,Department of EECS,University of Michigan,2000.

[13]

C.Meadows.A formal framework and evaluation method for network denial of service.In Proc.ofthe 1999 IEEE Computer Security Foundations Workshop, June 1999.

Digital Library

[14]

A.Medina and I.Matta.Brite:A .exible generator of Internet topologies.Technical Report BU-CS-TR-2000-005,Boston University,Jan.2000.

Digital Library

[15]

R.Morris.A weakness in the 4.2BSD Unix TCP/IP software.Technical Report Computer Science #117, AT&T Bell Labs,Feb.1985.

[16]

National Laboratory for Applied Network Research. Routing data,2000.Supported by NFS, http://moat.nlanr.net/Routing/rawdata/.

[17]

NightAxis and R.F.Puppy.Purgatory 101:Learning to cope with the SYNs of the Internet,2000.Some practical approaches to introducing accountability and responsibility on the public internet, http://packetstorm.securify.com/papers/contest/RFP.doc.

[18]

J.Pansiot and D.Grad.On routes and multicast trees in the Internet.Computer Communication Review, 28(1):41 -50,1995.

Digital Library

[19]

C.Papadimitriou and K.Steiglitz.Combinatorial Optimization:Algorithms and Complexity .Prentice Hall,Inc.,1982.

Digital Library

[20]

K.Park and H.Lee.On the e .ectiveness of probabilistic packet marking for IPtraceback under denial of service attack.In Proc.IEEE INFOCOM '01,pages 338-347,2001.

[21]

J.Postel.Internet protocol,Sept.1981.RFC 791.

[22]

G.Sager.Security fun with OCxmon and c .owd,Nov. 1998.Presentation at the Internet 2 Working Group.

[23]

S.Savage,D.Wetherall,A.Karlin,and T.Anderson. Practical network support for IP traceback.In Proc. of ACM SIGCOMM,pages 295-306,Aug.2000.

Digital Library

[24]

C.Schuba,I.Krsul,M.Kuhn,E.Spa .ord, A.Sundaram,and D.Zamboni.Analysis of a denial of service attack on TCP.In Proc.of the 1997 IEEE Symp.on Security and Privacy,pages 208-223,May 1997.

Digital Library

[25]

D.Song and A.Perrig.Advanced and authenticated marking schemes for IPtraceback.Technical Report UCB/CSD-00-1107,Computer Science Department, University of California,Berkeley,2000.To appear in IEEE INFOCOM 2001.

[26]

O.Spatscheck and L.Peterson.Defending against denial of service attacks in Scout.In Proc.ofthethird USENIX/ACM Symp.on Operating Systems Design and Implementation (OSDI '99),pages 59-72,Feb. 1999.

Digital Library

[27]

C.Systems.Characterizing and tracing packet .oods using Cisco routers,Aug 1999. http://www.cisco.com/warp/public/707/22.html.

[28]

C.E.R.Team.Denial of service,Feb.1999.Tech Tips, http://www.cert.org/tech tips/denial of service.html, 2nd revision.

[29]

C.E.R.Team.Results of the distributed-systems intruder tools workshop,Nov.1999. http://www.cert.org/reports/dsit workshop.pdf.

[30]

B.Waxman.Routing of m ltipoint connections.IEEE Jo rnal of Selected Areas in Comm nications,pages 6(9):1617-1622,Dec.1988.

[31]

E.Zwicky,S.Cooper,D.Chapman,and D.Ru. Building Internet Firewalls .O 'Reilly &Associates, Inc.,2nd edition,2000.

Digital Library

Cited By

Lakshmi SDurga TSrilatha PKumari CLaxmi Lydia EAkhmetshin E(2024)Assessment of a Semi-supervised Machine Learning Method for Thwarting Network DDoS AssaultsEvolution in Signal Processing and Telecommunication Networks10.1007/978-981-97-0644-0_28(307-318)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-981-97-0644-0_28
Zhang MLi GKong XLiu CXu MGu GWu J(2023)NetHCF: Filtering Spoofed IP Traffic With Programmable SwitchesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316101520:2(1641-1655)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3161015
Song XZheng JQian HZhao SZhang HPan XChen G(2023)Couper: Memory-Efficient Cardinality Estimation under Unbalanced Distribution2023 IEEE 39th International Conference on Data Engineering (ICDE)10.1109/ICDE55515.2023.00211(2753-2765)Online publication date: Apr-2023
https://doi.org/10.1109/ICDE55515.2023.00211
Show More Cited By

Index Terms

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets
1. Computer systems organization
  1. Architectures
    1. Distributed architectures
2. Networks

Recommendations

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets
Proceedings of the 2001 SIGCOMM conference

Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves ...
Distributed packet pairing for reflector based DDoS attack mitigation

Reflector based DDoS attacks are feasible in variety of request/reply based protocols including TCP, UDP, ICMP, and DNS. To mitigate these attacks, we advocate the concept of victim assistance and use it in the context of a novel scheme called pairing ...
Provider-based deterministic packet marking against distributed DoS attacks

One of the most serious security threats on the Internet are Distributed Denial of Service (DDoS) attacks, due to the significant service disruption they can create and the difficulty in preventing them. In this paper, we propose new deterministic ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '01: Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications

August 2001

298 pages

ISBN:1581134118

DOI:10.1145/383059

Chairmen:
Rene Cruz
Unvi. of California, San Diego
,
George Varghese
Unvi. of California, San Diego

ACM SIGCOMM Computer Communication Review Volume 31, Issue 4
Proceedings of the 2001 SIGCOMM conference
October 2001
275 pages
ISSN:0146-4833
DOI:10.1145/964723
Issue’s Table of Contents

Copyright © 2001 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2001

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

SIGCOMM01

Sponsor:

SIGCOMM

SIGCOMM01: Annual ACM SIGCOMM Conference

California, San Diego, USA

Acceptance Rates

SIGCOMM '01 Paper Acceptance Rate 23 of 252 submissions, 9%;

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

415
Total Citations
View Citations
3,808
Total Downloads

Downloads (Last 12 months)145
Downloads (Last 6 weeks)12

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lakshmi SDurga TSrilatha PKumari CLaxmi Lydia EAkhmetshin E(2024)Assessment of a Semi-supervised Machine Learning Method for Thwarting Network DDoS AssaultsEvolution in Signal Processing and Telecommunication Networks10.1007/978-981-97-0644-0_28(307-318)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-981-97-0644-0_28
Zhang MLi GKong XLiu CXu MGu GWu J(2023)NetHCF: Filtering Spoofed IP Traffic With Programmable SwitchesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316101520:2(1641-1655)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3161015
Song XZheng JQian HZhao SZhang HPan XChen G(2023)Couper: Memory-Efficient Cardinality Estimation under Unbalanced Distribution2023 IEEE 39th International Conference on Data Engineering (ICDE)10.1109/ICDE55515.2023.00211(2753-2765)Online publication date: Apr-2023
https://doi.org/10.1109/ICDE55515.2023.00211
Zhang XChen XHe YWang YCai YWang D(2023)History-IP Filtering Based on Neural Network2023 International Conference on Blockchain Technology and Information Security (ICBCTIS)10.1109/ICBCTIS59921.2023.00017(64-67)Online publication date: Jun-2023
https://doi.org/10.1109/ICBCTIS59921.2023.00017
Gaylah KVaghela R(2023)Mitigation and Prevention Methods for Distributed Denial-of-Service Attacks on Network ServersAdvancements in Smart Computing and Information Security10.1007/978-3-031-23095-0_5(70-82)Online publication date: 11-Jan-2023
https://doi.org/10.1007/978-3-031-23095-0_5
Wang YWang HMa CChen S(2022)Supporting Real-time Networkwide T-Queries in High-speed Networks2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS54860.2022.00010(1-11)Online publication date: Jul-2022
https://doi.org/10.1109/ICDCS54860.2022.00010
Ma CWang HOdegbile OChen S(2021)Noise Measurement and Removal for Data Streaming Algorithms with Network Applications2021 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking52078.2021.9472845(1-9)Online publication date: 21-Jun-2021
https://doi.org/10.23919/IFIPNetworking52078.2021.9472845
Muhati ERawat D(2021)ASAP: Anti-Spoofing Aphorism Using Path-analysis2021 IEEE/ACM 29th International Symposium on Quality of Service (IWQOS)10.1109/IWQOS52092.2021.9521356(1-10)Online publication date: 25-Jun-2021
https://doi.org/10.1109/IWQOS52092.2021.9521356
Cao JLiu YLiu MHe LJia YYang F(2021)pSAV: A Practical and Decentralized Inter-AS Source Address Validation Service Framework2021 IEEE/ACM 29th International Symposium on Quality of Service (IWQOS)10.1109/IWQOS52092.2021.9521336(1-7)Online publication date: 25-Jun-2021
https://doi.org/10.1109/IWQOS52092.2021.9521336
Varma SReddy K(2021)A Review of DDoS Attacks and its Countermeasures in Cloud Computing2021 5th International Conference on Information Systems and Computer Networks (ISCON)10.1109/ISCON52037.2021.9702388(1-6)Online publication date: 22-Oct-2021
https://doi.org/10.1109/ISCON52037.2021.9702388
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents