Provider-based deterministic packet marking against distributed DoS attacks

Siris, Vasilios A.; Stavrakis, Ilias

doi:10.1016/j.jnca.2005.07.005

Cited by 12 publications

(2 citation statements)

References 15 publications

(17 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Traditional DDoS defense systems that attempt to alleviate DDoS attacks via packet filtering [38] using techniques such as packet marking [6], [7], [8], [9], [10], [11] and push-back techniques [39], [40], [41], [42] filter traffic at ingress and egress points on the network, but are incapable of withstanding DDoS attacks of the size of the Mirai botnet used in our evaluation. In general, no existing system with minimal deployment requirements provides botnet-size independence, the ability to defend against attacks regardless of the size of the malicious botnet sending attack traffic.…”

Section: Related Workmentioning

confidence: 99%

“…These gaps arise from three core challenges. First, filtering and prioritization techniques [6], [7], [8], [9], [10], [11] claim to alleviate congestion by distinguishing between benign and malicious traffic, and then filtering out the malicious traffic. Despite advances in this area, filtering and related methods such as traffic prioritization require costly per-stream calculations, presenting scalability concerns with modern DDoS attacks.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing

Smith

Schuchard

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

In this paper, we present Nyx, the first system to both effectively mitigate modern Distributed Denial of Service (DDoS) attacks regardless of the amount of traffic under adversarial control and function without outside cooperation or an Internet redesign. Nyx approaches the problem of DDoS mitigation as a routing problem rather than a filtering problem. This conceptual shift allows Nyx to avoid many of the common shortcomings of existing academic and commercial DDoS mitigation systems. By leveraging how Autonomous Systems (ASes) handle route advertisement in the existing Border Gateway Protocol (BGP), Nyx allows the deploying AS to achieve isolation of traffic from a critical upstream AS off of attacked links and onto alternative, uncongested, paths. This isolation removes the need for filtering or de-prioritizing attack traffic. Nyx controls outbound paths through normal BGP path selection, while return paths from critical ASes are controlled through the use of specific techniques we developed using existing traffic engineering principles and require no outside coordination. Using our own realistic Internet-scale simulator, we find that in more than 98% of cases our system can successfully route critical traffic around network segments under transit-link DDoS attacks; a new form of DDoS attack where the attack traffic never reaches the victim AS, thus invaliding defensive filtering, throttling, or prioritization strategies. More significantly, in over 95% of those cases, the alternate path provides complete congestion relief from transitlink DDoS. Nyx additionally provides complete congestion relief in over 75% of cases when the deployer is being directly attacked.Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing

Smith

Schuchard

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

On packet marking and Markov modeling for IP Traceback: A deep probabilistic and stochastic analysis

et al. 2020

View full text Add to dashboard Cite

From many years, the methods to defend against Denial of Service attacks have been very attractive from different point of views, although network security is a large and very complex topic. Different techniques have been proposed and so-called packet marking and IP tracing procedures have especially demonstrated a good capacity to face different malicious attacks. While host-based DoS attacks are more easily traced and managed, network-based DoS attacks are a more challenging threat. In this paper, we discuss a powerful aspect of the IP traceback method, which allows a router to mark and add information to attack packets on the basis of a fixed probability value. We propose a potential method for modeling the classic probabilistic packet marking algorithm as Markov chains, allowing a closed form to be obtained for evaluating the correct number of received marked packets in order to build a meaningful attack graph and analyze how marking routers must behave to minimize the overall overhead.

show abstract

A systematic review of IP traceback schemes for denial of service attacks

Singh

Kumar³

2016

Computers & Security

View full text Add to dashboard Cite

Provider-based deterministic packet marking against distributed DoS attacks

Cited by 12 publications

References 15 publications

Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing

Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing

On packet marking and Markov modeling for IP Traceback: A deep probabilistic and stochastic analysis

A systematic review of IP traceback schemes for denial of service attacks

Contact Info

Product

Resources

About