NetFence: Preventing internet denial of service from inside out

Computer Communication Review

Volumn 40, Issue 4, 2010, Pages 255-266

  Liu, Xin ^a   Yang, Xiaowei ^a   Xia, Yong ^b  

^a Duke University   (United States)

^b NEC Laboratories China   (China)

Author keywords

Capability; Congestion policing; Denial of service; Internet

Indexed keywords

ACCESS ROUTERS; AUTONOMOUS SYSTEMS; BOTTLENECK ROUTER; CAPABILITY; CONGESTED LINKS; CONGESTION POLICING; DENIAL OF SERVICE; DENIAL OF SERVICE ATTACKS; FAIR SHARE; FINANCIAL LOSS; INTERNET SERVICES; LINUX IMPLEMENTATION; NETWORK LINKS; NETWORK RESOURCE; NS-2 SIMULATIONS; PACKET HEADER; UNWANTED TRAFFIC;

COMPUTER OPERATING SYSTEMS; INTERNET; LOSSES; MOBILE TELECOMMUNICATION SYSTEMS; NETWORK ARCHITECTURE; ROUTERS; TRANSMISSION CONTROL PROTOCOL;

TRAFFIC CONGESTION;

EID: 84874709128     PISSN: 01464833     EISSN: 19435819     Source Type: Conference Proceeding    
DOI: 10.1145/1851275.1851214     Document Type: Conference Paper

References (48)

1. D. Andersen. Mayday: Distributed Filtering for Internet Services. In USENIX USITS, 2003.
2. D. G. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker. Accountable Internet Protocol (AIP). In ACM SIGCOMM, 2008.
3. T. Anderson, T. Roscoe, and D.Wetherall. Preventing Internet Denial of Service with Capabilities. In ACM HotNets-II, 2003.
4. Arbor Networks. Worldwide Infrastructure Security Report, Volume V. http://www.arbornetworks.com/en/research.html, 2009.
5. K. Argyraki and D. R. Cheriton. Scalable Network-layer Defense Against Internet Bandwidth-Flooding Attacks. ACM/IEEE ToN, 17(4), 2009.
6. H. Ballani, Y. Chawathe, S. Ratnasamy, T. Roscoe, and S. Shenker. Off by default! In ACM Hotnets-IV, 2005.
7. BGP Routing Table Statistics. http://bgp.potaroo.net/as6447/, 2010.
8. B. Briscoe, A. Jacquet, C. D. Cairano-Gilfedder, A. Salvatori, A. Soppera, and M. Koyabe. Policing Congestion Response in an Internetwork using Re-feedback. In ACM SIGCOMM, 2005.
9. B. Briscoe, A. Jacquet, T. Moncaster, and A. Smith. Re-ECN: A Framework for Adding Congestion Accountability to TCP/IP. http://tools.ietf.org/id/draft- briscoe-tsvwg-re-ecn-tcp-motivation-01.txt, 2009.
10. M. Casado, P. Cao, A. Akella, and N. Provos. Flow-Cookies: Using Bandwidth Amplification to Defend Against DDoS Flooding Attacks. In IWQoS, 2006.
11. D.-M. Chiu and R. Jain. Analysis of the Increase and Decrease Algorithms for Congestion Avoidance in Computer Networks. Comput. Netw. ISDN Syst., 17(1), 1989.
12. CSS Routing and Bridging Configuration Guide. http://www.cisco.com/en/US/ docs/app-ntwk-services/data-center-app-services/css11500series/v7.30/ configuration/routing/guide/IP.html, 2010.
13. J. Crowcroft, T. Deegan, C. Kreibich, R. Mortier, and N. Weaver. Lazy Susan: Dumb Waiting as Proof of Work. Technical Report UCAM-CL-TR-703, University of Cambridge, Computer Laboratory, 2007.
14. Deterlab. http://www.deterlab.net/, 2010.
15. C. Dixon, A. Krishnamurthy, and T. Anderson. Phalanx: Withstanding Multimillion-node Botnets. In USENIX/ACM NSDI, 2008.
16. D. Ely, N. Spring, D. Wetherall, S. Savage, and T. Anderson. Robust Congestion Signaling. In In IEEE ICNP, 2001.
17. F-Secure. Calculating the Size of the Downadup Outbreak. http://www.fsecure.com/weblog/archives/00001584.html, 2009.
18. S. Floyd and V. Jacobson. Random Early Detection Gateways for Congestion Avoidance. IEEE/ACM ToN, 1(4), 1993.
19. M. Handley, E. Kohler, A. Ghosh, O. Hodson, and P. Radoslavov. Designing Extensible IP Router Software. In USENIX/ACM NSDI, 2005.
20. Helion Technology. AES Cores. http://www.heliontech.com/aes.htm, 2010.
21. Intel AES Instructions Set. http://software.intel.com/en-us/articles/ intel-advanced-encryption-standard-aesinstructions-set/, 2010.
22. S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-Sale: Surviving DDoS Attacks that Mimic Flash Crowds. In USENIX/ACM NSDI, 2005.
23. A. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In ACM SIGCOMM, 2002.
24. E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click Modular Router. ACM TOCS, 18(3), 2000.
25. C. Kreibich, A. Warfield, J. Crowcroft, S. Hand, and I. Pratt. Using Packet Symmetry to Curtail Malicious Traffic. In ACM Hotnets-IV, 2005.
26. X. Liu, A. Li, X. Yang, and D. Wetherall. Passport: Secure and Adoptable Source Authentication. In USENIX/ACM NSDI, 2008.
27. X. Liu, X. Yang, and Y. Lu. To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets. In ACM SIGCOMM, 2008.
28. X. Liu, X. Yang, and Y. Xia. NetFence: Preventing Internet Denial of Service from Inside Out. Technical Report 2010-01 (available at http://www.cs.duke.edu/nds/ddos/netfence-tr.pdf), Duke University, 2010.
29. S. Luo and G. A. Marin. Realistic Internet Traffic Simulation through Mixture Modeling and A Case Study. In Winter Simulation Conference, 2005.
30. R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. Controlling High Bandwidth Aggregates in the Network. ACM SIGCOMM CCR, 32(3), 2002.
31. R. Mahajan, S. Floyd, and D. Wetherall. Controlling High-Bandwidth Flows at the Congested Router. In IEEE ICNP, 2001.
32. A. Mahimkar, J. Dange, V. Shmatikov, H. Vin, and Y. Zhang. dFence: Transparent Network-based Denial of Service Mitigation. In USENIX/ACM NSDI, 2007.
33. Z. M. Mao, J. Rexford, J. Wang, and R. Katz. Towards an Accurate AS-Level Traceroute Tool. In ACM SIGCOMM, 2003.
34. M. Mathis, J. Semke, J. Mahdavi, and T. Ott. The Macroscopic Behavior of the TCP Congestion Avoidance Algorithm. ACM SIGCOMM CCR, 27(3), 1997.
35. B. Parno, D. Wendlandt, E. Shi, A. Perrig, B. Maggs, and Y.-C. Hu. Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks. In ACM SIGCOMM, 2007.
36. R. Perlman. Network Layer Protocols with Byzantine Robustness. MIT Ph.D. Thesis, 1988.
37. K. Ramakrishnan, S. Floyd, and D. Black. The Addition of Explicit Congestion Notification (ECN) to IP. RFC 3168, 2001.
38. E. Shi, I. Stoica, D. Andersen, and A. Perrig. OverDoSe: A Generic DDoS Protection Service Using an Overlay Network. Technical Report CMU-CS-06-114, Carnegie Mellon University, 2006.
39. M. Shreedhar and G. Varghese. Efficient Fair Queueing Using Deficit Round Robin. In ACM SIGCOMM, 1995.
40. A. Stavrou and A. Keromytis. Countering DoS Attacks with Stateless Multipath Overlays. In ACM SIGCOMM CCS, 2005.
41. I. Stoica, S. Shenker, and H. Zhang. Core-Stateless Fair Queueing: a Scalable Architecture to Approximate Fair Bandwidth Allocations in High-Speed Networks. IEEE/ACM ToN, 2003.
42. R. Stone. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In USENIX Security Symposium, 2000.
43. DDoS Mitigation to the Rescue. https://www.arbornetworks.com/dmdocuments/ DDoS%20Mitigation%20to%20the%20Rescue.pdf, 2010.
44. J. S. Turner. New Directions in Communications (Or Which Way to the Information Age?). IEEE Communications Magazine, 1986.
45. M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker. DDoS Defense by Offense. In ACM SIGCOMM, 2006.
46. Y. Xia, L. Subramanian, I. Stoica, and S. Kalyanaraman. One More Bit is Enough. IEEE/ACM ToN, 16(6), 2008.
47. A. Yaar, A. Perrig, and D. Song. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In IEEE Security Symposium, 2004.
48. X. Yang, D. Wetherall, and T. Anderson. TVA: A DoS-limiting Network Architecture. IEEE/ACM ToN, 16(6), 2008.