Distributed DoS Attack Prevention using Route-Based Distributed Packet Filtering
Heejo Lee - CERIAS
Jan 17, 2001PDF ()
AbstractEffective mitigation of denial-of-service (DoS) attack is a pressing problem on the Internet. Most DoS attacks employ IP spoofing to hide the identity of the attacker's location. In many instances, DoS attacks can be prevented if the spoofed source IP address can be traced back to its origin. Recently IP traceback mechanisms have been proposed for achieving efficient traceback of DoS attacks. These traceback mechanisms, however, are susceptible to distributed DoS (DDoS) attacks. Moreover, they allow spoofed packets to exert their debilitating effect on server resources before reactively instituting corrective actions.
In this talk, we describe route-based distributed packet filtering (DPF), a novel approach to DDoS prevention, which is able to solve the weaknesses of previous IP traceback mechanisms including probabilistic packet marking and ICMP message-based traceback. We show that by exploiting routing information associated with BGP, distributed packet filtering is able to achieve a synergistic filtering effect which proactively prevents significant---but not all---spoofed IP flows from reaching their target destinations in the first place. Those spoofed IP flows that cannot be prevented from penetrating are so few in number, however, such that their origin can be localized to within 5 sites facilitating effective IP traceback. Collectively, DPF renders 88% of possible attack sites impotent, i.e., no spoofed IP flow emanating from these sites can reach other target sites which promotes scalable DDoS attack prevention. This filtering effect can be achieved by performing the filtering function at less than 20% of all autonomous systems (AS) in the Internet which makes incremental deployment feasible. Lastly, we show that the distributed filtering effect intimately depends on the power-law connectivity structure of Internet topology.
About the SpeakerHeejo Lee is a Post Doctoral Research Associate at the Network Systems Lab and CERIAS. He received his BS, MS, PhD in Computer Science and Engineering from Pohang University of Science and Technology (POSTECH), Korea in 1993, 1995 and 2000, respectively. His research interest includes network security, parallel scientific computing, and fault-tolerant computing.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.