PERFORMANCE EVALUATION OF ROUTE-BASED DISTRIBUTED PACKET FILTERING FOR DDOS PREVENTION IN LARGE-SCALE NETWORKS A Thesis
نویسندگان
چکیده
Kim, HyoJeong. M.S., Purdue University, December, 2003. Performance Evaluation of Route-based Distributed Packet Filtering for DDoS Prevention in Large-scale Networks. Major Professor: Kihong Park. This thesis studies performance evaluation of route-based distributed packet filtering (DPF) for spoofed distributed denial of service (DDoS) attack prevention in large-scale networks under dynamic network conditions. Our contribution is threefold. We design and implement a route-based DPF protocol which computes routebased filter tables dynamically in the presence of IP (Internet Protocol) routing table updates governed by BGP (Border Gateway Protocol), Internet’s inter-domain routing protocol. By introducing an additional signalling message type to BGP, our solution discovers source reachability information despite the destination-based and policy-based characteristics of BGP that is prone to generating asymmetric routes. We evaluate proactive protection performance of route-based DPF under dynamic network conditions including node failures and resulting transient system states. Benchmarking is carried out in large-scale Internet measurement topologies where we show that route-based DPF is robust and effective with respect to both proactive (containment) and reactive (traceback) performance. To facilitate large-scale simulation-based DDoS performance evaluation, we built the Dynamic DPF Simulator as an extension of DaSSFNet. By incorporating automated network configuration, partitioning, and run-time measurement and monitoring, we show that scalable network simulation is effected by enabling efficient memory, CPU, and communication load balancing in workstation clusters.
منابع مشابه
HF-Blocker: Detection of Distributed Denial of Service Attacks Based On Botnets
Abstract—Today, botnets have become a serious threat to enterprise networks. By creation of network of bots, they launch several attacks, distributed denial of service attacks (DDoS) on networks is a sample of such attacks. Such attacks with the occupation of system resources, have proven to be an effective method of denying network services. Botnets that launch HTTP packet flood attacks agains...
متن کاملA Firegroup Mechanism to Provide Intrusion Detection and Prevention System Against DDos Attack in Collaborative Clustered Networks
Distributed Denial of Service (DDOS) attacks are the major concern for security in the collaborative networks. Although non DDOS attacks are also make the network performances poor, the effect of DDOS attacks is severe. In DDOS attacks, flooding of the particular node as victim and jam it with massive traffic happens and the complete network performance is affected. In this paper, a novel Intru...
متن کاملAn IP-Traceback-based Packet Filtering Scheme for Eliminating DDoS Attacks
Distributed Denial-of-Service (DDoS) is still an important security challenge for computer networks. Filterbased DDoS defense is considered as an effective approach, since it can defend against both victim-resourceconsumption attacks and link-congestion attacks. However, the high possibility of false positive and the huge consumption of router resources reduce the practicality of existing filte...
متن کاملPerformance Analysis of Disable IP Broadcast Technique for Prevention of Flooding-Based DDoS Attack in MANET
In Mobile Ad hoc Networks (MANET), various types of Denial of Service Attacks (DoS) are possible because of the inherent limitations of its routing protocols. Considering the Ad hoc On Demand Vector (AODV) routing protocol as the base protocol it is possible to find a suitable solution to overcome the malicious flooding i.e. attack of initiating / forwarding Route Requests (RREQs) that lead to ...
متن کاملA survey of DDoS Service Attacks in Collaborative Intrusion Detection System
A DDoS (Distributed Denial-of-Service) attack is a distributed large-scale attempt by malicious users to flood the victim network with an enormous number of packets. This exhausts the victim network of resources such as bandwidth, computing power, etc., the victim is unable to provide services to its legitimate clients and network performance is greatly deteriorated. There are many proposed met...
متن کامل