Nothing Special   »   [go: up one dir, main page]

skip to main content
article

Controlling high bandwidth aggregates in the network

Published: 01 July 2002 Publication History

Abstract

The current Internet infrastructure has very few built-in protection mechanisms, and is therefore vulnerable to attacks and failures. In particular, recent events have illustrated the Internet's vulnerability to both denial of service (DoS) attacks and flash crowds in which one or more links in the network (or servers at the edge of the network) become severely congested. In both DoS attacks and flash crowds the congestion is due neither to a single flow, nor to a general increase in traffic, but to a well-defined subset of the traffic --- an aggregate. This paper proposes mechanisms for detecting and controlling such high bandwidth aggregates. Our design involves both a local mechanism for detecting and controlling an aggregate at a single router, and a cooperative pushback mechanism in which a router can ask upstream routers to control an aggregate. While certainly not a panacea, these mechanisms could provide some needed relief from flash crowds and flooding-style DoS attacks. The presentation in this paper is a first step towards a more rigorous evaluation of these mechanisms.

References

[1]
S. M. Bellovin, M. Leech, and T. Taylor. ICMP Traceback Messages. Internet-draft: draft-ietf-itrace-01.txt, work in progress, October 2001.
[2]
J. Borland. Net Video Not Yet Ready for Prime Time. CNET news, February 1999. http://news.cnet.com/news/0-1004-200-338361.html.
[3]
CERT Web Pages: CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks. http://www.cert.org/advisories/CA-1996-21.html, September 1996.
[4]
CERT Web Pages: CERT Advisory CA-98.01 "smurf" IP Denial-of-Service Attacks. http://www.cert.org/advisories/CA-98.01.smurf.html, January 1998.
[5]
CERT. CERT Incident Note IN-2000-04, 2000. http://www.cert.org/incident_notes/IN-2000-04.html.
[6]
A. Demers, S. Keshav, and S. Shenker. Analysis and Simulation of a Fair Queueing Algorithm. In ACM SIGCOMM, 1989.
[7]
P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827, May 2000.
[8]
S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan, and V. Paxson. Pushback Messages for Controlling Aggregates in the Network. Work in progress. Internet-draft: draft-floyd-pushback-messages-00.txt, July 2001.
[9]
S. Floyd and K. Fall. Promoting the Use of End-to-End Congestion Control in the Internet. IEEE/ACM Transactions on Networking, August 1999.
[10]
S. Floyd, K. Fall, and K. Tieu. Estimating Arrival Rates from the RED Packet Drop History, April 1998. http://www.icir.org/floyd/end2end-paper.html.
[11]
S. Floyd and V. Jacobson. Link-sharing and Resource Management Models for Packet Networks. IEEE/ACM Transactions on Networking, Vol. 3(4):pp. 365-386, August 1995.
[12]
L. Garber. Denial-of-Service Attacks Rip the Internet. IEEE Computer, vol. 33(4):pp. 12-17, April 2000.
[13]
R. J. Gibbens and F. P. Kelly. Resource Pricing and the Evolution of Congestion Control. Automatica, invited paper for special issue on control in communication networks, 1999.
[14]
A. S. Induruwa, P. F. Linington, and J. B. Slater. Quality of Service Measurements on SuperJANET - The UK Academic Information Highway. In Proc INET'99, June 1999.
[15]
J. Ioannidis and S. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of NDSS '02, Feb. 2002.
[16]
J. Jung, B. Krishnamurthy, and M. Rabinovich. Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In WWW, May 2002.
[17]
H. T. Kung, T. Blackwell, and A. Chapman. Credit-Based Flow Control for ATM Networks: Credit Update Protocol, Adaptive Credit Allocation and Statistical Multiplexing. In ACM SIGCOMM, August 1994.
[18]
D. Lin and R. Morris. Dynamics of Random Early Detection. In ACM SIGCOMM, 1997.
[19]
R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. Controlling High-Bandwidth Aggregates in the Network (Extended Version). http://www.icir.org/pushback/, July 2001.
[20]
R. Mahajan, S. Floyd, and D. Wetherall. Controlling High-Bandwidth Flows at the Congested Router. In ICNP, November 2001.
[21]
D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. USENIX Security Symposium, August 2001.
[22]
NS Web Page: http://www.isi.edu/nsnam.
[23]
V. Paxson. An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks. CCR, vol. 31(3), July 2001.
[24]
S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. In ACM SIGCOMM, August 2000.
[25]
D. Schnackenberg, K. Djahandari, and D. Sterne. Infrastructure for Intrustion Detection and Response. In Proceedings of the DARPA Information Survivability Conference and Exposition 2000, March 2000.
[26]
A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-Based IP Traceback. In ACM SIGCOMM, August 2001.
[27]
I. Stoica, S. Shenker, and H. Zhang. Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks. In ACM SIGCOMM, 1998.
[28]
X. Zhang, S. F. Wu, Z. Fu, and T.-L. Wu. Malicious Packet Dropping: How It Might Impact the TCP Performance and How We Can Detect It. In Proceedings of the 2000 International Conference on Network Protocols, Nov. 2000.

Cited By

View all
  • (2024)The COVID-19 Pandemic, the Digital Transformation, and the Banking System: Empirical Evidence in GreeceEconomic Recessions - Navigating Economies in a Volatile World and the Path for Economic Resilience and Development10.5772/intechopen.1004205Online publication date: 2-Apr-2024
  • (2024)Leveraging Prefix Structure to Detect Volumetric DDoS Attack Signatures with Programmable Switches2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00267(4535-4553)Online publication date: 19-May-2024
  • (2024)A statistical approach to secure health care services from DDoS attacks during COVID-19 pandemicNeural Computing and Applications10.1007/s00521-021-06389-636:1(1-14)Online publication date: 1-Jan-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review
ACM SIGCOMM Computer Communication Review  Volume 32, Issue 3
July 2002
79 pages
ISSN:0146-4833
DOI:10.1145/571697
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 July 2002
Published in SIGCOMM-CCR Volume 32, Issue 3

Check for updates

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)31
  • Downloads (Last 6 weeks)5
Reflects downloads up to 08 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)The COVID-19 Pandemic, the Digital Transformation, and the Banking System: Empirical Evidence in GreeceEconomic Recessions - Navigating Economies in a Volatile World and the Path for Economic Resilience and Development10.5772/intechopen.1004205Online publication date: 2-Apr-2024
  • (2024)Leveraging Prefix Structure to Detect Volumetric DDoS Attack Signatures with Programmable Switches2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00267(4535-4553)Online publication date: 19-May-2024
  • (2024)A statistical approach to secure health care services from DDoS attacks during COVID-19 pandemicNeural Computing and Applications10.1007/s00521-021-06389-636:1(1-14)Online publication date: 1-Jan-2024
  • (2023)Analysis of the Security Challenges Facing the DS-Lite IPv6 Transition TechnologyElectronics10.3390/electronics1210233512:10(2335)Online publication date: 22-May-2023
  • (2023)Differentially Private Resource AllocationProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627181(772-786)Online publication date: 4-Dec-2023
  • (2023)NetHCF: Filtering Spoofed IP Traffic With Programmable SwitchesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316101520:2(1641-1655)Online publication date: 1-Mar-2023
  • (2023)DDoS Family: A Novel Perspective for Massive Types of DDoS AttacksComputers & Security10.1016/j.cose.2023.103663(103663)Online publication date: Dec-2023
  • (2022)RAPT: A Robust Attack Path Tracing Algorithm to Mitigate SYN-Flood DDoS CyberattacksSensors10.3390/s2301010223:1(102)Online publication date: 22-Dec-2022
  • (2022)ReCEIF: Reinforcement Learning-Controlled Effective Ingress Filtering2022 IEEE 47th Conference on Local Computer Networks (LCN)10.1109/LCN53696.2022.9843478(106-113)Online publication date: 26-Sep-2022
  • (2022)A survey on security applications of P4 programmable switches and a STRIDE-based vulnerability assessmentComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2022.108800207:COnline publication date: 16-May-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media