Securecast: Multicast Based Protection Against Denial of Service Attacks

In this paper, we introduce a proactive mechanism to protect Internet hosts against network based denial of service (DoS) attacks. We give Internet hosts an ability to explicitly control who to communicate with and therefore avoid potential DoS attacks coming from the others over the Internet. Our approach depends on the availability of the Source Specific Multicast (SSM) service in the Internet. The key characteristics of the SSM service that we exploit for our purpose are (1) in SSM, only the source can send to an SSM group, (2) packet delivery to a receiver depends on the receiver’s joining the SSM group, and (3) reverse path forwarding rule protects the communication against IP address spoofing attacks. We call our approach securecast. First, we present two slightly different operation modes for securecast: DoS protection and DoS prevention. Then, we discuss the issues that affect the successful deployment of securecast. These include multicast forwarding state scalability and data confidentiality. Finally, we evaluate securecast by comparing it to alternative approaches based on their performance and operational overhead.