Detecting Service Violations and DoS Attacks
Author
Ahsan Habib, Mohamed Hefeeda, Bharat Bhargava
Tech report number
CERIAS TR 2002-15
Abstract
Denial of Service (DoS) attack is a serious threat for the Internet. DoS attack can
consume memory, CPU, and network resources and damage or shutdown the operation of the resource under attack (victim). A common DoS attack floods a network with bogus traffic so that legitimate
users may not be able to communicate.
There are several proposals to {\\em traceback} the network attack path to identify the source that causes the DoS attack. This is an effective solution to trace the attacker but it is not preventive in nature. {\\em Ingress filtering} and
{\\em Route-based filtering} are two proactive approaches to stop DoS attacks.
These solutions check source addresses of incoming packets to ensure they are coming from legitimate sources or traversing
through proper routes. We study several existing schemes that deal with DoS attacks.
We describe several network monitoring approaches to detect service
violations and DoS attacks. In addition, we propose a new distributed scheme to reduce monitoring overhead. Finally, a quantitative comparison among all
schemes is conducted, in which, we highlight the merits of each scheme and estimate the overhead (both computation and communication) introduced by it. The comparison provides guidelines for selecting the appropriate scheme, or a combination of schemes, based on the requirements and how much overhead can be tolerated.
School
Purdue University, West Lafayette, IN 47906
Affiliation
CERIAS and Department of Computer Sciences
Publication Date
1900-01-01
Keywords
DoS attacks, IP Traceback, Filtering, Network Monitoring