Effectiveness of rate-limiting in mitigating flooding DOS attacks
نویسنده
چکیده
This paper investigates the effectiveness of rate-limiting in mitigating TCP-based flooding Denial of Service (DoS) attacks. Rate-limiting is used as a DoS defense mechanism to discard a fraction of incoming attack packets. Part of legitimate traffic is, however, mis-detected as attack traffic. The main contribution of this paper is to find out how much a DoS attack can be rate-limited without any undue penalties for those legitimate TCP flows, which are mis-detected as attack traffic. The research methodology is based on analyzing the TCP throughput in a simulated network where packet-loss is one-way due to rate-limiting of incoming packets. Empirical measurements in a small network are used to verify the simulation results.
منابع مشابه
StopIt: Mitigating DoS Flooding Attacks from Multi-Million Botnets
This paper presents the design and implementation of a filter-based DoS defense system (StopIt) and a comparison study on the effectiveness of filters and capabilities. Central to the StopIt design is a novel closed-control, open-service architecture: any receiver can use StopIt to block the undesired traffic it receives, yet the design is robust to various strategic attacks from millions of bo...
متن کاملNew Approach to Mitigating Distributed Service Flooding Attacks
Distributed denial of service (DDoS) attacks pose great threat to the Internet and its public services. Various computation-based cryptographic puzzle schemes have been proposed to mitigate DDoS attacks when detection is hard or has low accuracy. Yet, existing puzzle schemes have shortcomings that limit their effectiveness in practice. First, the effectiveness of computation-based puzzles decre...
متن کاملMitigating Distributed Service Flooding Attacks with Guided Tour Puzzles
Various cryptographic puzzle schemes have been proposed as defenses against Denial of Service (DoS) attacks. However, these schemes have two common shortcomings that diminish their effectiveness as a DoS mitigation solution. First, the DoS-resilience that these schemes provide is minimized when there is a large disparity between the computational power of malicious and legitimate clients. Secon...
متن کاملA hybrid multiobjective RBF-PSO method for mitigating DoS attacks in Named Data Networking
Named Data Networking (NDN) is a promising network architecture being considered as a possible replacement for the current IP-based (host-centric) Internet infrastructure. NDN can overcome the fundamental limitations of the current Internet, in particular, Denial-of-Service (DoS) attacks. However, NDN can be subject to new type of DoS attacks namely Interest flooding attacks and content poisoni...
متن کاملCross-domain DoS link-flooding attack detection and mitigation using SDN prin- ciples
The Denial of Service (DoS) attacks pose a major threat to Internet users and services. Since the network security ecosystem is expanding over the years, new types of DoS attacks emerge. The DoS link-flooding attacks target to severely congest certain network links disrupting Internet accessibility to certain geographical areas and services passing through these links. Since crucial services li...
متن کامل