article

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Authors:

Heejo LeeAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 31, Issue 4

Pages 15 - 26

https://doi.org/10.1145/964723.383061

Published: 27 August 2001 Publication History

Abstract

Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology.The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized---i.e., IP traceback---to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.

References

[1]

G.Banga,P.Druschel,and J.Mogul.Resource containers:A new facility for resource management in server systems.In Proc.of the third USENIX/ACM Symp.on Operating Systems Design and Implementation (OSDI '99),pages 45-58,Feb.1999.

Digital Library

[2]

S.Bellovin.ICMPtraceback messages,Mar.2000. Internet Draft:draft-bellovin-itrace-00.txt (expires September 2000).

[3]

H.Burch and B.Cheswick.Tracing anonymous packets to their approximate source.In 14th Systems Administration Conference (LISA 2000),pages 319-327,2000.

Digital Library

[4]

C.E.R.T.(CERT).CERT Advisory CA-2000-01 Denial-of-service developments,Jan.2000. http://www.cert.org/advisories/CA-2000-01.html.

[5]

CERT/CC,S.Institute,and CERIAS.Consensus roadmap for defeating distributed denial of service attacks,Feb.2000.A Project of the Partnership for Critical Infrastructure Security, http://www.sans.org/ddos roadmap.htm.

[6]

M.Faloutsos,P.Faloutsos,and C.Faloutsos.On power-law relationships of the Internet topology.In Proc.of ACM SIGCOMM,pages 251-262,1999.

Digital Library

[7]

P.Ferguson and D.Senie.Network ingress .ltering: Defeating denial of service attacks which employ IP source address spoo .ng,May 2000.RFC 2827.

Digital Library

[8]

L.Garber.Denial-of-service attacks rip the Internet. Computer,pages 12-17,Apr.2000.

Digital Library

[9]

M.Garey and D.Johnson.Computers and Intractability:A Guide to the Theory of NP-Completeness .W.H.Freeman and Company, 1979.

Digital Library

[10]

R.Govindan and A.Reddy.An analysis of Internet inter-domain topology and route stability.In Proc. IEEE INFOCOM '97,1997.

Digital Library

[11]

J.Howard.An Analysis of Security Incidents on the Internet .PhD thesis,Carnegie Mellon Univerisity, Aug.1998.

Digital Library

[12]

C.Jin,Q.Chen,and S.Jamin.Inet:Internet Topology Generator.Technical Report CSE-TR-443-00,Department of EECS,University of Michigan,2000.

[13]

C.Meadows.A formal framework and evaluation method for network denial of service.In Proc.ofthe 1999 IEEE Computer Security Foundations Workshop, June 1999.

Digital Library

[14]

A.Medina and I.Matta.Brite:A .exible generator of Internet topologies.Technical Report BU-CS-TR-2000-005,Boston University,Jan.2000.

Digital Library

[15]

R.Morris.A weakness in the 4.2BSD Unix TCP/IP software.Technical Report Computer Science #117, AT&T Bell Labs,Feb.1985.

[16]

National Laboratory for Applied Network Research. Routing data,2000.Supported by NFS, http://moat.nlanr.net/Routing/rawdata/.

[17]

NightAxis and R.F.Puppy.Purgatory 101:Learning to cope with the SYNs of the Internet,2000.Some practical approaches to introducing accountability and responsibility on the public internet, http://packetstorm.securify.com/papers/contest/RFP.doc.

[18]

J.Pansiot and D.Grad.On routes and multicast trees in the Internet.Computer Communication Review, 28(1):41 -50,1995.

Digital Library

[19]

C.Papadimitriou and K.Steiglitz.Combinatorial Optimization:Algorithms and Complexity .Prentice Hall,Inc.,1982.

Digital Library

[20]

K.Park and H.Lee.On the e .ectiveness of probabilistic packet marking for IPtraceback under denial of service attack.In Proc.IEEE INFOCOM '01,pages 338-347,2001.

[21]

J.Postel.Internet protocol,Sept.1981.RFC 791.

[22]

G.Sager.Security fun with OCxmon and c .owd,Nov. 1998.Presentation at the Internet 2 Working Group.

[23]

S.Savage,D.Wetherall,A.Karlin,and T.Anderson. Practical network support for IP traceback.In Proc. of ACM SIGCOMM,pages 295-306,Aug.2000.

Digital Library

[24]

C.Schuba,I.Krsul,M.Kuhn,E.Spa .ord, A.Sundaram,and D.Zamboni.Analysis of a denial of service attack on TCP.In Proc.of the 1997 IEEE Symp.on Security and Privacy,pages 208-223,May 1997.

Digital Library

[25]

D.Song and A.Perrig.Advanced and authenticated marking schemes for IPtraceback.Technical Report UCB/CSD-00-1107,Computer Science Department, University of California,Berkeley,2000.To appear in IEEE INFOCOM 2001.

[26]

O.Spatscheck and L.Peterson.Defending against denial of service attacks in Scout.In Proc.ofthethird USENIX/ACM Symp.on Operating Systems Design and Implementation (OSDI '99),pages 59-72,Feb. 1999.

Digital Library

[27]

C.Systems.Characterizing and tracing packet .oods using Cisco routers,Aug 1999. http://www.cisco.com/warp/public/707/22.html.

[28]

C.E.R.Team.Denial of service,Feb.1999.Tech Tips, http://www.cert.org/tech tips/denial of service.html, 2nd revision.

[29]

C.E.R.Team.Results of the distributed-systems intruder tools workshop,Nov.1999. http://www.cert.org/reports/dsit workshop.pdf.

[30]

B.Waxman.Routing of m ltipoint connections.IEEE Jo rnal of Selected Areas in Comm nications,pages 6(9):1617-1622,Dec.1988.

[31]

E.Zwicky,S.Cooper,D.Chapman,and D.Ru. Building Internet Firewalls .O 'Reilly &Associates, Inc.,2nd edition,2000.

Digital Library

Cited By

Kang HKim KKim S(2024)A New Mitigation Method against DRDoS Attacks Using a Snort UDP Module in Low-Specification Fog Computing EnvironmentsElectronics10.3390/electronics1315291913:15(2919)Online publication date: 24-Jul-2024
https://doi.org/10.3390/electronics13152919
Wang XXu KGuo YWang HFu SLi QWu BWu J(2024)Toward Practical Inter-Domain Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2024.337711632:4(3126-3141)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3377116
Bao HZhao YZhang XWang GDuan JTian RMen JZhang M(2024)A Probabilistic and Distributed Validation Framework Based on Blockchain for Artificial Intelligence of ThingsIEEE Internet of Things Journal10.1109/JIOT.2023.327984911:1(17-28)Online publication date: 1-Jan-2024
https://doi.org/10.1109/JIOT.2023.3279849
Show More Cited By

Index Terms

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets
1. Computer systems organization
  1. Architectures
    1. Distributed architectures
2. Networks

Recommendations

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets
SIGCOMM '01: Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications

Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves ...
Provider-based deterministic packet marking against distributed DoS attacks

One of the most serious security threats on the Internet are Distributed Denial of Service (DDoS) attacks, due to the significant service disruption they can create and the difficulty in preventing them. In this paper, we propose new deterministic ...
Characterization, Detection and Mitigation of Low-Rate DoS attack
ICTCS '14: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive Strategies

Now a day's web services become key aspect of life. Unfortunately there are several threats to these services. These threats are phishing, e-mail borne viruses, Trojan horse programs, Denial of Service etc. Among of them Distributed Denial of Service ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 31, Issue 4

Proceedings of the 2001 SIGCOMM conference

October 2001

275 pages

ISSN:0146-4833

DOI:10.1145/964723

Issue’s Table of Contents

SIGCOMM '01: Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
August 2001
298 pages
ISBN:1581134118
DOI:10.1145/383059
Chairmen:
Rene Cruz
Unvi. of California, San Diego
,
George Varghese
Unvi. of California, San Diego

Copyright © 2001 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2001

Published in SIGCOMM-CCR Volume 31, Issue 4

Check for updates

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

415
Total Citations
View Citations
3,828
Total Downloads

Downloads (Last 12 months)159
Downloads (Last 6 weeks)17

Reflects downloads up to 27 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kang HKim KKim S(2024)A New Mitigation Method against DRDoS Attacks Using a Snort UDP Module in Low-Specification Fog Computing EnvironmentsElectronics10.3390/electronics1315291913:15(2919)Online publication date: 24-Jul-2024
https://doi.org/10.3390/electronics13152919
Wang XXu KGuo YWang HFu SLi QWu BWu J(2024)Toward Practical Inter-Domain Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2024.337711632:4(3126-3141)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3377116
Bao HZhao YZhang XWang GDuan JTian RMen JZhang M(2024)A Probabilistic and Distributed Validation Framework Based on Blockchain for Artificial Intelligence of ThingsIEEE Internet of Things Journal10.1109/JIOT.2023.327984911:1(17-28)Online publication date: 1-Jan-2024
https://doi.org/10.1109/JIOT.2023.3279849
Lee HKang TYang SJun JKwon T(2024)DDD: A DNS-based DDoS Defense Scheme Using Puzzles2024 33rd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN61486.2024.10637603(1-9)Online publication date: 29-Jul-2024
https://doi.org/10.1109/ICCCN61486.2024.10637603
Verma ASaha RKumar GConti MKim T(2024)PREVIR: Fortifying Vehicular Networks Against Denial of Service AttacksIEEE Access10.1109/ACCESS.2024.338299212(48301-48320)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3382992
Saharan SGupta V(2024)Prevention of DDoS attacks: a comprehensive review and future directionsInformation Security Journal: A Global Perspective10.1080/19393555.2024.2347243(1-33)Online publication date: 15-May-2024
https://doi.org/10.1080/19393555.2024.2347243
Paul BSarker AAbhi SDas SAli MIslam MIslam MMoyeen SRahman Badal MAhamed MSarker SDas PHasan MSaqib N(2024)Potential smart grid vulnerabilities to cyber attacks: Current threats and existing mitigation strategiesHeliyon10.1016/j.heliyon.2024.e3798010:19(e37980)Online publication date: Oct-2024
https://doi.org/10.1016/j.heliyon.2024.e37980
Liu ZDong FLiu CDeng XYang TZhao YLi JCui BZhang G(2024)WavingSketch: an unbiased and generic sketch for finding top-k items in data streamsThe VLDB Journal — The International Journal on Very Large Data Bases10.1007/s00778-024-00869-633:5(1697-1722)Online publication date: 1-Sep-2024
https://dl.acm.org/doi/10.1007/s00778-024-00869-6
Zhang MLi GKong XLiu CXu MGu GWu J(2023)NetHCF: Filtering Spoofed IP Traffic With Programmable SwitchesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316101520:2(1641-1655)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3161015
Bitan SMolkho ADankner A(2023)Decentralized incentive-based DDoS mitigation2023 26th Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN)10.1109/ICIN56760.2023.10073483(33-35)Online publication date: 6-Mar-2023
https://doi.org/10.1109/ICIN56760.2023.10073483
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents