On the robustness of router-based Denial-of-Service (DoS) defense systems

Computer Communication Review

Volumn 35, Issue 3, 2005, Pages 47-60

  Xu, Ying ^a   Guérin, Roch ^a  

^a UNIVERSITY OF PENNSYLVANIA   (United States)

Author keywords

Denial of Service; Router based Defense

Indexed keywords

COMPUTER NETWORKS; ROBUSTNESS (CONTROL SYSTEMS); ROUTERS; SECURITY SYSTEMS; TELECOMMUNICATION TRAFFIC;

CONGESTIONS; DENIAL-OF-SERVICES (DOS); FLOODING PATTERNS; ROUTER-BASED DEFENSE;

COMMUNICATION SYSTEMS;

EID: 33645785346     PISSN: 01464833     EISSN: 01464833     Source Type: Conference Proceeding    
DOI: 10.1145/1070873.1070878     Document Type: Review

References (28)

1. Arbor networks. http://www.arbornetworks.com/resources_overview.php.
2. Mazu profiler. http://www.mazunetworks.com/white_papers/.
3. The network simulator - ns-2. http://www.isi.edu/nsnam/ns/.
4. Riverhead networks, http://www.riverhead.com/index2.html.
5. D. Bansal and H. Balakrishnan. Binomial congestion control algorithms. In Proc. IEEE INFOCOM'01, pages 631-640, Anchorage, AK, April 2001.
6. S. M. Bellovin. ICMP traceback messages. Internet draft (work in progress), IETF, 2000. http://wwwl .cs.columbia.edu/ smb/papers/draft-bellovin- itrace-00.txt.
7. P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. Request For Comments (Proposed Standard) RFC 2267, IETF, January 1998.
8. S. Floyd and K. Fall. Promoting the use of end-to-end congestion control in the Internet. IEEE/ACM Trans. Netw., 7(4):458-472, 1999.
9. S. Floyd and V. Jacobson. Random early detection gateways for congestion avoidance. IEEE/ACM Trans. Netw., 1(4):397-413, 1993.
10. T. M. Gil and M. Poletto. MULTOPS: A data-structure for bandwidth attack detection. In Proc. USENIX Security Symposium, pages 23-28, Washington, DC, July 2001.
11. M. Guirguis, A. Bestavros, and I. Malta. Exploiting the transients of adaptation for RoQ attacks on internet resources. In Proc. IEEEICNP'04, pages 184-195, 2004.
12. J. loannidis and S. M. Bellovin. Implementing pushback: Router-based defense against DDoS attacks. In Proc. NDSS'02, February 2002.
13. H. Jiang and C. Dovrolis. Guardian: A router mechanism for extreme overload prevention. In Proc. ITCOM'02, August 2002.
14. R. R. Kompella, S. Singh, and G. Varghese. On scalable attack detection in the network. In Proc. IMC' 2004, pages 187-200, Taormina, Sicily, Italy, October 2004.
15. A. Kuzmanovic and E. W. Knightly. Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants. In Proc. ACM SIGCOMM'03, pages 75-86, 2003.
16. D. Lin and R. Morris. Dynamics of random early detection. In Proc. ACM SIGCOMM'97, pages 127-137, 1997.
17. R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. Controlling high bandwidth aggregates in the network. SIGCOMM Comput. Commun. Rev., 32(3):62-73, 2002.
18. R. Mahajan and S. Floyd. Controlling high-bandwidth flows at the congested router. In Proc. lEEE ICNP'01, pages 192-201, 2001.
19. J. Mirkovic, G. Prier, and P. Reiher. Attacking DDoS at the source. In Proc. IEEE ICNP'02, Noverber 2002.
20. J. Mirkovic and P. Reiher. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput. Commun. Rev., 34(2):39-53, 2004.
21. R. Pan, L. Breslau, B. Prabhakar, and S. Shenker. Approximate fairness through differential dropping. SIGCOMM Comput. Commun. Rev., 33(2):23-39, 2003.
22. R. Pan, B. Prabhakar, and K. Psounis. CHOKe, a stateless active queue management scheme for approximating fair bandwidth allocation. In Proc. IEEE INFOCOM'00, pages 942-951, Tel-Aviv, Israel, March 2000.
23. S. Savage, D. Wetherall, A. Karlin, and T. Andersen. Practical network support for IP traceback. In Proc. ACM SIGCOMM'00, pages 295-306, 2000.
24. I. Stoica, S. Shenker, and H. Zhang. Core-stateless fair queueing: achieving approximately fair bandwidth allocations in high speed networks. In Proc. ACM SIGCOMM'98, pages 118-130, 1998.
25. H. Wang, D. Zhang, and K. G. Shin. Detecting SYN flooding attacks. In Proc. IEEE INFOCOM'2002, pages 1530-1539, New York, NY, June 2002.
26. K. Xu, Z. Zhang, and S. Bhattacharyya. Profiling internet backbone traffic: Behavior models and applications. In Proc. ACM SIGCOMM'05, Philadelphia, PA, August 2005.
27. Y. Xu and R. Guerin. A double horizon defense scheme for robust regulation of malicious traffic. Technical report in preparation, University of Pennsylvania, 2005.
28. Y. Xu and R. Guerin. On the robustness of router-based denial-of-service (DoS) defense systems. Technical report, University of Pennsylvania, March 2005. Available at: http://einstein.seas.upenn.edu/mnlab/publications.html.