Distributed DoS Attack Prevention using Route-Based Distributed Packet Filtering

Jan 17, 2001

PDF

Abstract

Effective mitigation of denial-of-service (DoS) attack is a pressing problem on the Internet. Most DoS attacks employ IP spoofing to hide the identity of the attacker's location. In many instances, DoS attacks can be prevented if the spoofed source IP address can be traced back to its origin. Recently IP traceback mechanisms have been proposed for achieving efficient traceback of DoS attacks. These traceback mechanisms, however, are susceptible to distributed DoS (DDoS) attacks. Moreover, they allow spoofed packets to exert their debilitating effect on server resources before reactively instituting corrective actions.

In this talk, we describe route-based distributed packet filtering (DPF), a novel approach to DDoS prevention, which is able to solve the weaknesses of previous IP traceback mechanisms including probabilistic packet marking and ICMP message-based traceback. We show that by exploiting routing information associated with BGP, distributed packet filtering is able to achieve a synergistic filtering effect which proactively prevents significant---but not all---spoofed IP flows from reaching their target destinations in the first place. Those spoofed IP flows that cannot be prevented from penetrating are so few in number, however, such that their origin can be localized to within 5 sites facilitating effective IP traceback. Collectively, DPF renders 88% of possible attack sites impotent, i.e., no spoofed IP flow emanating from these sites can reach other target sites which promotes scalable DDoS attack prevention. This filtering effect can be achieved by performing the filtering function at less than 20% of all autonomous systems (AS) in the Internet which makes incremental deployment feasible. Lastly, we show that the distributed filtering effect intimately depends on the power-law connectivity structure of Internet topology.