Abstract
Current Denial-of-Service (DoS) attacks are directed towards a specific victim. The research community has devised several countermeasures that protect the victim host against undesired traffic.
We present Coremelt, a new attack mechanism, where attackers only send traffic between each other, and not towards a victim host. As a result, none of the attack traffic is unwanted. The Coremelt attack is powerful because among N attackers, there are O(N2) connections, which cause significant damage in the core of the network. We demonstrate the attack based on simulations within a real Internet topology using realistic attacker distributions and show that attackers can induce a significant amount of congestion.
This research was supported in part by CyLab at Carnegie Mellon under grants DAAD19-02-1-0389 and MURI W 911 NF 0710287 from the Army Research Office, and grant CNS-0831440 from the National Science Foundation. The views and conclusions contained here are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either express or implied, of ARO, CMU, NSF, or the U.S. Government or any of its agencies.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Magoni, D.: Tearing down the internet (2003)
Savage, S., Cardwell, N., Wetherall, D., Anderson, T.: TCP Congestion Control with a Misbehaving Receiver. ACM SIGCOMM Computer Communication Review 29(5) (1999)
CAIDA: As relationships dataset (January 5, 2009), http://www.caida.org/data/active/as-relationships/
Moore, D., Shannon, C.: The caida dataset on the code-red worms (July-August, 2001), http://www.caida.org/data/passive/codered_worms_dataset.xml
Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proceedings of the Large Installation System Administration Conference (2000)
Goodrich, M.: Efficient Packet Marking for Large-Scale IP Traceback. In: Proceedings of ACM CCS (November 2001)
Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-Based IP Traceback. In: Proceedings of ACM SIGCOMM 2001, pp. 3–14 (2001)
Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Schwartz, B., Kent, S.T., Strayer, W.T.: Single-Packet IP Traceback. IEEE/ACM Transactions on Networking (ToN) 10(6) (December 2002)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proceedings of ACM SIGCOMM (August 2000)
Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against DDoS attacks. In: Proceedings of IEEE Symposium on Security and Privacy (May 2003)
Yaar, A., Perrig, A., Song, D.: SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In: Proceedings of IEEE Symposium on Security and Privacy (May 2004)
Yang, X., Wetherall, D., Anderson, T.: A DoS-limiting network architecture. In: Proceedings of ACM SIGCOMM (August 2005)
Argyraki, K., Cheriton, D.: Scalable Network-layer Defense Against Internet Bandwidth-Flooding Attacks. IEEE/ACM Transactions on Networking (2009)
Aura, T., Nikander, P., Leiwo, J.: DoS-resistant Authentication with Client Puzzles. In: Proceedings of Security Protocols Workshop (2001)
Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: Proceedings of USENIX Security Symposium (2001)
Juels, A., Brainard, J.: Client puzzles: A cryptographic countermeasure against connection depletion attacks. In: Proceedings of ISOC NDSS (1999)
Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., Hu, Y.-C.: Portcullis: Protecting connection setup from denial-of-capability attacks. In: Proceedings of the ACM SIGCOMM (August 2007)
Wang, X., Reiter, M.: Defending against denial-of-service attacks with puzzle auctions. In: Proceedings of IEEE Symposium on Security and Privacy (May 2003)
Chou, J., Lin, B., Sen, S., Spatscheck, O.: Proactive surge protection: A defense mechanism for bandwidth-based attacks. In: USENIX Security Symposium (2008)
Stoica, I., Shenker, S., Zhang, H.: Core-stateless fair queueing: A scalable architecture to approximate fair bandwidth allocations in high speed networks. In: Proceedings of ACM SIGCOMM (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Studer, A., Perrig, A. (2009). The Coremelt Attack. In: Backes, M., Ning, P. (eds) Computer Security – ESORICS 2009. ESORICS 2009. Lecture Notes in Computer Science, vol 5789. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04444-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-04444-1_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04443-4
Online ISBN: 978-3-642-04444-1
eBook Packages: Computer ScienceComputer Science (R0)