Stateful DDoS attacks and targeted filtering
نویسندگان
چکیده
The goal of a distributed denial of service (DDoS) attack is to completely tie up certain resources so that legitimate users are not able to access a service. It has long been an open security problem of the Internet. In this paper, we identify a class of stateful DDoS attacks that defeat the existing cookie-based solutions. To counter these attacks, we propose a new defense mechanism, called targeted filtering, which establishes filters at a firewall and automatically converges the filters to the flooding sources while leaving the rest of the Internet unblocked. We prove the correctness of the proposed defense mechanism, evaluate its efficiency by analysis and simulations, and establish its worst-case performance bounds in response to stateful DDoS attacks. We have also implemented a Linux-based prototype with experimental results that demonstrate the effectiveness of targeted filtering. r 2005 Elsevier Ltd. All rights reserved.
منابع مشابه
An Inline Detection and Prevention Framework for Distributed Denial of Service Attacks
By penetrating into a large number of machines and stealthily installing malicious pieces of code, a distributed denial of service (DDoS) attack constructs a hierarchical network and uses it to launch coordinated assaults. DDoS attacks often exhaust the network bandwidth, processing capacity and information resources of victims, thus, leading to unavailability of computing systems services. Var...
متن کاملNetwork Security of Internet Services: Eliminate DDoS Reflection Amplification Attacks
Our research problem is that there are a large number of successful network reflection DDoS attacks. Via a UDP Reflection Attack, an attacker can send just 1 Gb/s of payload to innocent servers, and it is these servers which then can send over 4,600 times the payload to the victim! There are very expensive and complex solutions in use today, however most all of these on premise solutions can be...
متن کاملAn IP-Traceback-based Packet Filtering Scheme for Eliminating DDoS Attacks
Distributed Denial-of-Service (DDoS) is still an important security challenge for computer networks. Filterbased DDoS defense is considered as an effective approach, since it can defend against both victim-resourceconsumption attacks and link-congestion attacks. However, the high possibility of false positive and the huge consumption of router resources reduce the practicality of existing filte...
متن کاملProbabilistic Packet Filtering Model to Protect Web Server from DDoS Attacks
We present a probabilistic packet filtering (PPF) mechanism to defend the Web server against Distributed Denial-of-Service (DDoS) attacks. To distinguish abnormal traffics from normal ones, we use Traffic Rate Analysis (TRA). If the TRA mechanism detects DDoS attacks, the proposed model probabilistically filters the packets related to the attacks. The simulation results demonstrate that it is u...
متن کاملSimulation-Based Study of Distributed Denial of Service Attacks Counteract in the Cloud Services
Network availability is threatened by the traditional Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. The risk is much increased with the emergence of the new computing paradigm of cloud computing. In this era, DDoS attacks can threaten the cloud sustainability by hitting its pricing model exploiting the cloud scalability feature. Therefore, a new phenomenon is emerged...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- J. Network and Computer Applications
دوره 30 شماره
صفحات -
تاریخ انتشار 2007