StopIt: Mitigating DoS Flooding Attacks from Multi-Million Botnets
نویسندگان
چکیده
This paper presents the design and implementation of a filter-based DoS defense system (StopIt) and a comparison study on the effectiveness of filters and capabilities. Central to the StopIt design is a novel closed-control, open-service architecture: any receiver can use StopIt to block the undesired traffic it receives, yet the design is robust to various strategic attacks from millions of bots, including filter exhaustion attacks and bandwidth flooding attacks that aim to disrupt the timely installation of filters. Our evaluation shows that StopIt can block the attack traffic from a few millions of attackers within tens of minutes with bounded router memory. We compare StopIt with existing filter-based and capabilitybased DoS defense systems under simulated DoS attacks of various types and scales. Our results show that StopIt outperforms existing filter-based systems, and can prevent legitimate communications from being disrupted by various DoS flooding attacks. It also outperforms capability-based systems in most attack scenarios, but a capability-based system is more effective in a type of attack that the attack traffic does not reach a victim, but congests a link shared by the victim. These results suggest that both filters and capabilities are highly effective DoS defense mechanisms, but neither is more effective than the other in all types of DoS attacks.
منابع مشابه
On Modeling and Mitigating New Breed of Dos Attacks
ON MODELING AND MITIGATING NEW BREED OF DOS ATTACKS by Amey Bhaskar Shevtekar Denial of Service (DoS) attacks pose serious threats to the Internet, exerting in tremendous impact on our daily lives that are heavily dependent on the good health of the Internet. This dissertation aims to achieve two objectives: 1) to model new possibilities of the low rate DoS attacks; 2) to develop effective miti...
متن کاملEffectiveness of rate-limiting in mitigating flooding DOS attacks
This paper investigates the effectiveness of rate-limiting in mitigating TCP-based flooding Denial of Service (DoS) attacks. Rate-limiting is used as a DoS defense mechanism to discard a fraction of incoming attack packets. Part of legitimate traffic is, however, mis-detected as attack traffic. The main contribution of this paper is to find out how much a DoS attack can be rate-limited without ...
متن کاملA hybrid multiobjective RBF-PSO method for mitigating DoS attacks in Named Data Networking
Named Data Networking (NDN) is a promising network architecture being considered as a possible replacement for the current IP-based (host-centric) Internet infrastructure. NDN can overcome the fundamental limitations of the current Internet, in particular, Denial-of-Service (DoS) attacks. However, NDN can be subject to new type of DoS attacks namely Interest flooding attacks and content poisoni...
متن کاملDoS Attacks Flood Techniques
DoS attacks (Denial of Service) are one of the main problems on computer security field. Usually these attacks result in the loss of network connectivity due to excessive bandwidth-consuming and resource bottlenecks of the system attacked. DoS attacks can occur in various ways; however all of them have in common the use of IP protocol. This work presents the effects on network elements and secu...
متن کاملModular System for Mitigating Flood Attacks
Denial-of-Service (DoS) flooding attacks have become a serious threat to the reliability of the Internet. Web servers face all kinds of users; some of them engage malicious activities to degrade or completely block network services, such as flooding attacks. As a result, lots of resource and bandwidth on web sites might be wasted. While many approaches exist to filter network-level attacks, the...
متن کامل