FOSeL: Filtering by Helping an Overlay Security Layer to Mitigate DoS Attacks

Abstract: Denial of service (DoS) attacks are major threat against availability in the Internet. A large number of countermeasure techniques try to detect attack and then filter out DoS attack packets. Unfortunately these techniques that filter DoS traffic by looking at known attack patterns or statistical anomalies in the traffic patterns can be defeated by changing the attack patterns and masking the anomalies that are sought by the filter. Hence, detecting DoS traffic is one of the main challenges for filtering techn… Show more

“…Several variations of SOS have been proposed in literature [28,29,20,21,6,5]. [28] extends its functionality to defend against botnets using CAPTCHA [32], while [29] introduces an architecture for enhancing service availability build on multi-path and stateless tokens.…”

“…Similarly, this solution allows communication only among confirmed entities; meaning that any packet must be authenticated through the proposed architecture. [6] protects a target using a filter that drops any packet whose source address is not approved. In the case of a DoS attack, rather than processing all arriving packets, the target's filter processes only a subset of received packets, and drops all the remaining.…”

“…On the other hand, distributed architectures based on overlay networks [18,28,29,6,20,21,5] can operate on existing network infrastructure, and have shown to be able to withstand attacks involving millions of attackers. Overlay based solutions can be categorized in three types:…”

“…Strict access: These approaches [18,6,20,5,29] assume that the users of the protected service are pre-authorized, and only them are allowed to access the service. They cater to scenarios like attacks against emergency services used during disasters.…”

A Multilayer Overlay Network Architecture for Enhancing IP Services Availability against DoS

“…Several variations of SOS have been proposed in literature [28,29,20,21,6,5]. [28] extends its functionality to defend against botnets using CAPTCHA [32], while [29] introduces an architecture for enhancing service availability build on multi-path and stateless tokens.…”

“…Similarly, this solution allows communication only among confirmed entities; meaning that any packet must be authenticated through the proposed architecture. [6] protects a target using a filter that drops any packet whose source address is not approved. In the case of a DoS attack, rather than processing all arriving packets, the target's filter processes only a subset of received packets, and drops all the remaining.…”

“…On the other hand, distributed architectures based on overlay networks [18,28,29,6,20,21,5] can operate on existing network infrastructure, and have shown to be able to withstand attacks involving millions of attackers. Overlay based solutions can be categorized in three types:…”

“…Strict access: These approaches [18,6,20,5,29] assume that the users of the protected service are pre-authorized, and only them are allowed to access the service. They cater to scenarios like attacks against emergency services used during disasters.…”

A Multilayer Overlay Network Architecture for Enhancing IP Services Availability against DoS

“…One can also study the architecture in reverse mode from users toward the target. We have proposed a preliminary version of the Fosel architecture in [25].…”

A dependable architecture to mitigate distributed denial of service attacks on network-based control systems

Economic Denial of Sustainability Mitigation in Cloud Computing