Heejo Lee - CERIAS
Students: Fall 2021, unless noted otherwise, sessions will be virtual on Zoom.
Distributed DoS Attack Prevention using Route-Based Distributed Packet Filtering
Jan 17, 2001PDF
AbstractEffective mitigation of denial-of-service (DoS) attack is a pressing problem on the Internet. Most DoS attacks employ IP spoofing to hide the identity of the attacker's location. In many instances, DoS attacks can be prevented if the spoofed source IP address can be traced back to its origin. Recently IP traceback mechanisms have been proposed for achieving efficient traceback of DoS attacks. These traceback mechanisms, however, are susceptible to distributed DoS (DDoS) attacks. Moreover, they allow spoofed packets to exert their debilitating effect on server resources before reactively instituting corrective actions.
In this talk, we describe route-based distributed packet filtering (DPF), a novel approach to DDoS prevention, which is able to solve the weaknesses of previous IP traceback mechanisms including probabilistic packet marking and ICMP message-based traceback. We show that by exploiting routing information associated with BGP, distributed packet filtering is able to achieve a synergistic filtering effect which proactively prevents significant---but not all---spoofed IP flows from reaching their target destinations in the first place. Those spoofed IP flows that cannot be prevented from penetrating are so few in number, however, such that their origin can be localized to within 5 sites facilitating effective IP traceback. Collectively, DPF renders 88% of possible attack sites impotent, i.e., no spoofed IP flow emanating from these sites can reach other target sites which promotes scalable DDoS attack prevention. This filtering effect can be achieved by performing the filtering function at less than 20% of all autonomous systems (AS) in the Internet which makes incremental deployment feasible. Lastly, we show that the distributed filtering effect intimately depends on the power-law connectivity structure of Internet topology.
About the Speaker
Heejo Lee is a Post Doctoral Research Associate at the Network Systems Lab and CERIAS. He received his BS, MS, PhD in Computer Science and Engineering from Pohang University of Science and Technology (POSTECH), Korea in 1993, 1995 and 2000, respectively. His research interest includes network security, parallel scientific computing, and fault-tolerant computing.