Controlling high bandwidth aggregates in the network

Mahajan, Ratul; Bellovin, Steven M.; Floyd, Sally; Ioannidis, John P. A.; Paxson, Vern; Shenker, Scott

doi:10.1145/571697.571724

Cited by 559 publications

(406 citation statements)

References 20 publications

(27 reference statements)

Supporting

Mentioning

403

Contrasting

Unclassified

Order By: Relevance

“…Bandwidth exhaustion attack: finally, we note that SES-RAA does not mitigate pure bandwidth exhaustion attacks (for example, UDP flood). SESRAA solely focuses on the issue of botnet-style resource exhaustion via legitimate requests for which traditional SYN-flood pushback-style mechanisms [17,18] would offer little benefit. SESRAA does not preclude the use of these techniques to filter out unwanted traffic and is largely complementary to those techniques.…”

Section: Discussionmentioning

confidence: 99%

“…Bandwidth depletion attack can be mitigated by filtering unwanted traffic earlier which would have been discarded anyway later at the end server (for example, UDP data flood). In Reference [17], Mahajan et al propose a pushback mechanism to control aggregates at the upstream router. The rate limiting scheme from the upstream gateway can be combined with our approach to provide a comprehensive end host defense against DDoS attacks.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Using selective, short‐term memory to improve resilience against DDoS exhaustion attacks

Liao

Cieslak

Striegel

et al. 2008

Security Comm Networks

View full text Add to dashboard Cite

SummaryDistributed denial of service (DDoS) attacks originating from botnets can quickly bring normally effective web services to a screeching halt. This paper presents SESRAA (selective short-term randomized acceptance algorithms), an adaptive scheme for maintaining web service despite the presence of multifaceted attacks in a noisy environment. In contrast to existing solutions that rely upon 'clean' training data, we presume that a live web service environment makes finding such training data difficult if not impossible. SESRAA functions much like a battlefield surgeon's triage: focusing on quickly and efficiently salvaging good connections with the realization that the chaotic nature of the live environment implicitly limits the accuracy of such detections. SESRAA employs an adaptive k-means clustering approach using short-term extraction and limited centroid evolution to defend the legitimate connections in a mixed attack environment. We present the SESRAA approach and evaluate its performance through experimental studies in a diverse attack environment. The results show significant improvements against a wide variety of DDoS configurations and input traffic patterns.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Using selective, short‐term memory to improve resilience against DDoS exhaustion attacks

Liao

Cieslak

Striegel

et al. 2008

Security Comm Networks

View full text Add to dashboard Cite

show abstract

“…The dynamic decisions of the recursive traversal of the translation table graph, as well as the persistent state, help DRUID to be more adaptive and context dependent, so that various protections and compensation can be added as needed, delaying the cost of expensive mechanisms until they are of real benefit. For example, certain types of DDoS protection [37,41] require adding marks to packets and checking for those marks at various points in the network. DRUID's ability to add and remove blocks dynamically would permit inserting and removing the necessary blocks at the appropriate locations only when DDoS defense was actually required, rather than at all times.…”

Section: Issues and Challengesmentioning

confidence: 99%

A Dynamic Recursive Unified Internet Design (DRUID)

Touch¹,

Baldin

Dutta

et al. 2011

Computer Networks

View full text Add to dashboard Cite

a b s t r a c tThe Dynamic Recursive Unified Internet Design (DRUID) is a future Internet design that unifies overlay networks with conventional layered network architectures. DRUID is based on the fundamental concept of recursion, enabling a simple and direct network architecture that unifies the data, control, management, and security aspects of the current Internet, leading to a more trustworthy network. DRUID's architecture is based on a single recursive block that can adapt to support a variety of communication functions, including parameterized mechanisms for hard/soft state, flow and congestion control, sequence control, fragmentation and reassembly, compression, encryption, and error recovery. This recursion is guided by the structure of a graph of translation tables that help compartmentalize the scope of various functions and identifier spaces, while relating these spaces for resource discovery, resolution, and routing. The graph also organizes persistent state that coordinates behavior between individual data events (e.g., coordinating packets as a connection), among different associations (e.g., between connections), as well as helping optimize the recursive discovery process through caching, and supporting prefetching and distributed pre-coordination. This paper describes the DRUID architecture composed of these three parts (recursive block, translation tables, persistent state), and highlights its goals and benefits, including unifying the data, control, management, and security planes currently considered orthogonal aspects of network architecture.

show abstract

“…Chow et al [9] propose a similar framework, where edge routers periodically obtain information from core routers, and adjust conditioner parameters accordingly. Aggregate-based Congestion Control (ACC) detects and controls high bandwidth aggregate flows [29].…”

Section: Congestion Collapsementioning

confidence: 99%