Max Schuchard scite author profile

In this paper, we present Nyx, the first system to both effectively mitigate modern Distributed Denial of Service (DDoS) attacks regardless of the amount of traffic under adversarial control and function without outside cooperation or an Internet redesign. Nyx approaches the problem of DDoS mitigation as a routing problem rather than a filtering problem. This conceptual shift allows Nyx to avoid many of the common shortcomings of existing academic and commercial DDoS mitigation systems. By leveraging how Autonomous Systems (ASes) handle route advertisement in the existing Border Gateway Protocol (BGP), Nyx allows the deploying AS to achieve isolation of traffic from a critical upstream AS off of attacked links and onto alternative, uncongested, paths. This isolation removes the need for filtering or de-prioritizing attack traffic. Nyx controls outbound paths through normal BGP path selection, while return paths from critical ASes are controlled through the use of specific techniques we developed using existing traffic engineering principles and require no outside coordination. Using our own realistic Internet-scale simulator, we find that in more than 98% of cases our system can successfully route critical traffic around network segments under transit-link DDoS attacks; a new form of DDoS attack where the attack traffic never reaches the victim AS, thus invaliding defensive filtering, throttling, or prioritization strategies. More significantly, in over 95% of those cases, the alternate path provides complete congestion relief from transitlink DDoS. Nyx additionally provides complete congestion relief in over 75% of cases when the deployer is being directly attacked.Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Protecting access privacy of cached contents in information centric networks

Mohaisen¹,

Zhang

Schuchard

et al. 2013

View full text Add to dashboard Cite

In recently proposed information centric networks (ICN), a user issues "interest" packets to retrieve contents from network by names. Once fetched from origin servers, "data" packets are replicated and cached in all routers along routing and forwarding paths, thus allowing further interests by other users to be fulfilled quickly. However, the way ICN caching works poses a great privacy risk: the time difference between responses for an interest of cached and uncached content can be used as an indicator to infer whether or not a near-by user has previously requested the same content as that requested by an adversary. This work introduces the extent to which the problem is applicable in ICN and provides several solutions that try to strike a balance between their cost and benefits, and raise the bar for the adversary to apply such attack.

show abstract

Withdrawing the BGP Re-Routing Curtain: Understanding the Security Impact of BGP Poisoning through Real-World Measurements

Smith

Birkeland

McDaniel

et al. 2020

View full text Add to dashboard Cite

Protecting access privacy of cached contents in information centric networks

Mohaisen¹,

Zhang

Schuchard

et al. 2012

View full text Add to dashboard Cite

In information centric network (ICN), contents are fetched by their names from caches deployed in the network or from origin servers. Once the contents are fetched from the origin server, it is replicated and cached in all routers along the routing and forwarding paths from the user that issues the interest to the origin server, thus allowing further "interests" by other users to be fulfilled quickly. However, the way ICN caching and interest fulfillment work pose a great privacy risk; the time difference between response for interest of cached and uncached contents can be used as an indicator to infer whether or not a near-by user previously requested the same contents requested by the adversary. This work introduces the extent to which the problem is applicable in ICN and provides several solutions to address it.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Max Schuchard

Routing around decoys

Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing

Protecting access privacy of cached contents in information centric networks

Withdrawing the BGP Re-Routing Curtain: Understanding the Security Impact of BGP Poisoning through Real-World Measurements

Protecting access privacy of cached contents in information centric networks

Contact Info

Product

Resources

About