• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart
  • DMCA
  • Donate

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets (2001)

by K Park, H Lee
Venue:in: ACM SIGCOMM
Add To MetaCart

Tools

Sorted by:
Results 1 - 10 of 278
Next 10 →

Measuring ISP Topologies with Rocketfuel

by Neil Spring, Ratul Mahajan, David Wetherall - In Proc. ACM SIGCOMM , 2002
"... To date, realistic ISP topologies have not been accessible to the research community, leaving work that depends on topology on an uncertain footing. In this paper, we present new Internet mapping techniques that have enabled us to directly measure router-level ISP topologies. Our techniques reduce t ..."
Abstract - Cited by 843 (28 self) - Add to MetaCart
To date, realistic ISP topologies have not been accessible to the research community, leaving work that depends on topology on an uncertain footing. In this paper, we present new Internet mapping techniques that have enabled us to directly measure router-level ISP topologies. Our techniques reduce the number of required traces compared to a brute-force, all-to-all approach by three orders of magnitude without a significant loss in accuracy. They include the use of BGP routing tables to focus the measurements, exploiting properties of IP routing to eliminate redundant measurements, better alias resolution, and the use of DNS to divide each map into POPs and backbone. We collect maps from ten diverse ISPs using our techniques, and find that our maps are substantially more complete than those of earlier Internet mapping efforts. We also report on properties of these maps, including the size of POPs, distribution of router outdegree, and the inter-domain peering structure. As part of this work, we release our maps to the community.

A Taxonomy of DDoS Attack and DDoS Defense Mechanisms

by Jelena Mirkovic, Peter Reiher - ACM SIGCOMM Computer Communication Review , 2004
"... Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the probl ..."
Abstract - Cited by 358 (2 self) - Add to MetaCart
Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites

by Jaeyeon Jung, Balachander Krishnamurthy, Michael Rabinovich - In Proceedings of the International World Wide Web Conference , 2002
"... ..."
Abstract - Cited by 294 (13 self) - Add to MetaCart
Abstract not found

On Distinguishing between Internet Power Law Topology Generators

by Tian Bu, Don Towsley , 2002
"... Recent work has shown that the node degree in the WWW induced graph and the AS-level Internet topology exhibit power laws. Since then several algorithms have been proposed to generate such power law graphs. In this paper we evaluate the effectiveness of these generators to generate representative AS ..."
Abstract - Cited by 256 (4 self) - Add to MetaCart
Recent work has shown that the node degree in the WWW induced graph and the AS-level Internet topology exhibit power laws. Since then several algorithms have been proposed to generate such power law graphs. In this paper we evaluate the effectiveness of these generators to generate representative AS-level topologies. Our conclusions are mixed. Although they (mostly) do a reasonable job at capturing the power law exponent, they do less well in capturing the clustering phenomena exhibited by the Internet topology. Based on these results we propose a variation of the recent incremental topology generator of [6] that is more successful at matching the power law exponent and the clustering behavior of the Internet. Last, we comment on the small world behavior of the Internet topology.

Detecting SYN Flooding Attacks

by Haining Wang, Danlu Zhang, Kang G. Shin - In Proceedings of the IEEE Infocom , 2002
"... We propose a simple and robust mechanism for detecting SYN flooding attacks. Instead of monitoring the ongoing traffic at the front end (like firewall or proxy) or a victim server itself, we detect the SYN flooding attacks at leaf routers that connect end hosts to the Internet. The simplicity of our ..."
Abstract - Cited by 215 (8 self) - Add to MetaCart
We propose a simple and robust mechanism for detecting SYN flooding attacks. Instead of monitoring the ongoing traffic at the front end (like firewall or proxy) or a victim server itself, we detect the SYN flooding attacks at leaf routers that connect end hosts to the Internet. The simplicity of our detection mechanism lies in its statelessness and low computation overhead, which make the detection mechanism itself immune to flooding attacks. Our detection mechanism is based on the protocol behavior of TCP SYN--FIN (RST) pairs, and is an instance of the Sequential Change Point Detection [1]. To make the detection mechanism insensitive to site and access pattern, a non-parametric Cumulative Sum (CUSUM) method [4] is applied, thus making the detection mechanism much more generally applicable and its deployment much easier. The efficacy of this detection mechanism is validated by trace-driven simulations. The evaluation results show that the detection mechanism has short detection latency and high detection accuracy. Moreover, due to its proximity to the flooding sources, our mechanism not only sets alarms upon detection of ongoing SYN flooding attacks, but also reveals the location of the flooding sources without resorting to expensive IP traceback.
(Show Context)

Citation Context

...the attacker would only be able to generate packets with internal addresses. Given the reachability constraints imposed by routing and network topology, route-based distributed packet filtering (DPF) =-=[22]-=- exploits routing information to determine if a packet arriving at the router is valid with respect to its inscribed source/destination addresses. The experimental results in [22] show that a signific...

SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks

by Abraham Yaar, Adrian Perrig, Dawn Song - In IEEE Symposium on Security and Privacy , 2004
"... One of the fundamental limitations of the Internet is the inability of a packet flow recipient to halt disruptive flows before they consume the recipient's network link resources. Critical infrastructures and businesses alike are vulnerable to DoS attacks or flash-crowds that can incapacitate t ..."
Abstract - Cited by 188 (13 self) - Add to MetaCart
One of the fundamental limitations of the Internet is the inability of a packet flow recipient to halt disruptive flows before they consume the recipient's network link resources. Critical infrastructures and businesses alike are vulnerable to DoS attacks or flash-crowds that can incapacitate their networks with traffic floods. Unfortunately, current mechanisms require per-flow state at routers, ISP collaboration, or the deployment of an overlay infrastructure to defend against these events.
(Show Context)

Citation Context

...of DoS attack to probe which links are affected by an attack and can thus trace back to the origin [8]. Park and Lee propose a distributed packet filtering (DPF) mechanism against IP address spoofing =-=[32]-=-. DPF relies on BGP routing information to detect spoofed IP addresses. Bellovin et al. suggests adding a new type of ICMP message for traceback [6], and Mankin et al. present an improvement to this s...

Hop-count filtering: an effective defense against spoofed DDoS traffic

by Cheng Jin, Haining Wang , 2003
"... IP spoofing has been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near ..."
Abstract - Cited by 187 (4 self) - Add to MetaCart
IP spoofing has been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victims is essential to their own protection as well as to their avoidance of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he or she cannot falsify the number of hops an IP packet takes to reach its destination. This hop-count information can be inferred from the Time-to-Live (TTL) value in the IP header. Using a mapping between IP addresses and their hop-counts to an Internet server, the server can distinguish spoofed IP packets from legitimate ones. Base on this observation, we present a novel filtering technique that is immediately deployable to weed out spoofed IP packets. Through analysis using network measurement data, we show that Hop-Count Filtering (HCF) can identify close to 90 % of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its benefits using experimental measurements.
(Show Context)

Citation Context

...ile it does help pinpoint locations of flooding sources, off-line IP traceback does not help sustain service availability during an attack. On-line filtering mechanisms rely on IP router enhancements =-=[15, 23, 24, 25, 26, 31]-=- to detect abnormal traffic patterns and foil DDoS attacks. However, these solutions require not only router support, but also coordination among different routers and networks, and wide-spread deploy...

Towards Capturing Representative AS-Level Internet Topologies

by Hyunseok Chang, Ramesh Govindan, Sugih Jamin, Scott J. Shenker, Walter Willinger - Computer Networks Journal , 2002
"... Recent studies concerning the Internet connectivity at the AS level have attracted considerable attention. These studies have exclusively relied on the BGP data from Oregon route-views [1] to derive some unexpected and intriguing results. The Oregon route-views data sets reflect AS peering relations ..."
Abstract - Cited by 175 (23 self) - Add to MetaCart
Recent studies concerning the Internet connectivity at the AS level have attracted considerable attention. These studies have exclusively relied on the BGP data from Oregon route-views [1] to derive some unexpected and intriguing results. The Oregon route-views data sets reflect AS peering relationships, as reported by BGP, seen from a handful of vantage points in the global Internet. The possibility that these data sets from Oregon route-views may provide only a very sketchy picture of the complete inter-AS connections that exist in the actual Internet has received surprisingly little scrutiny. In this paper, we will use the term "AS peering relationship" to mean that there is "at least one direct router-level connection" between two existing ASs, and that these two ASs agree to exchange traffic by enabling BGP between them. By augmenting the Oregon route-views data sets with BGP summary information from a large number of Internet Looking Glass sites and with routing policy information from Internet Routing Registry (IRR) databases, we find that (1) a significant number of existing AS connections remain hidden from most BGP routing tables, (2) the AS connections to tier-1 ASs are in general more easily observed than those to non tier-1 ASs, and (3) there are at least about 25--50% more AS connections in the Internet than commonly-used BGP-derived AS maps reveal (but only about 2% more ASs). These findings point out the need for an increased awareness of and a more critical attitude toward the applicability and completeness of given data sets at hand when establishing the generality of any particular observations about the Internet.
(Show Context)

Citation Context

...], (4) investigating the problem of routing path inflation [8], [9], (5) studying the effectiveness of proposed algorithms for detection/prevention of attacks on (parts of) the network infrastructure =-=[10]-=-, and (6) evaluating the performance of multicast protocols [11]. A closer look at the measurements that form the basis for all these studies reveals that the data sets used consist of BGP routing tab...

Attacking DDoS at the Source

by Jelena Mirkovic, Gregory Prier, Peter Reiher , 2002
"... Distributed denial-of-service (DDoS) attacks present an Internet-wide threat. We propose D-WARD, a DDoS defense system deployed at source-end networks that autonomously detects and stops attacks originating from these networks. Attacks are detected by the constant monitoring of two-way traffic flows ..."
Abstract - Cited by 174 (9 self) - Add to MetaCart
Distributed denial-of-service (DDoS) attacks present an Internet-wide threat. We propose D-WARD, a DDoS defense system deployed at source-end networks that autonomously detects and stops attacks originating from these networks. Attacks are detected by the constant monitoring of two-way traffic flows between the network and the rest of the Internet and periodic comparison with normal flow models. Mismatching flows are rate-limited in proportion to their aggressiveness. D-WARD offers good service to legitimate traffic even during an attack, while effectively reducing DDoS traffic to a negligible level. A prototype of the system has been built in a Linux router. We show its effectiveness in various attack scenarios, discuss motivations for deployment, and describe associated costs.
(Show Context)

Citation Context

...m is large if the attack is distributed, and the mechanism must be resilient to attacks. Several filtering mechanisms have been proposed to prevent spoofing source addresses in IP packets ([7], [13], =-=[16]-=-). While IP spoofing is not necessary in DDoS attacks, it helps attackers hide the identity of attacking machines so they can reuse them for future attacks. D-WARD and many other DDoS prevention mecha...

Inet-3.0: Internet topology generator

by Jared Winick, Sugih Jamin , 2002
"... Abstract In this report we present version 3.0 of Inet, an Autonomous System (AS) level Internet topologygenerator. Our understanding of the Internet topology is quickly evolving, and thus, our understanding of how synthetic topologies should be generated is changing too. We document our analysis of ..."
Abstract - Cited by 168 (2 self) - Add to MetaCart
Abstract In this report we present version 3.0 of Inet, an Autonomous System (AS) level Internet topologygenerator. Our understanding of the Internet topology is quickly evolving, and thus, our understanding of how synthetic topologies should be generated is changing too. We document our analysis of Inet-2.2, which highlighted two shortcomings in its topologies. Inet-3.0 improves upon Inet-2.2's two main weaknesses by creating topologies with more accurate degree distributions and minimum vertexcovers as compared to Internet topologies. We also examine numerous other metrics to show that Inet3.0 better approximates the actual Internet AS topology than does Inet-2.2. Inet-3.0's topologies stilldo not well represent the Internet in terms of maximum clique size and clustering coefficient. These related problems stress a need for a better understanding of Internet connectivity and will be addressedin future work.
Powered by: Apache Solr
  • About CiteSeerX
  • Submit and Index Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University