On Filtering of DDoS Attacks Based on Source Address Prefixes
File(s)
Date
2005Author
Pack, Gary
Yoon, Jaeyoung
Collins, Eli
Estan, Cristian
Publisher
University of Wisconsin-Madison Department of Computer Sciences
Metadata
Show full item recordAbstract
Distributed denial of service (DDoS) attacks are a grave threat to Internet services and even to the network itself. Widely distributed "zombie" computers subverted by malicious hackers are used to orchestrate massive attacks. Despite significant research efforts and the existence of a wide range of commercial products defending against them, DDoS attacks are still a concern for most network operators and companies relying on the Internet. A particularly hard problem is distinguishing the packets that are part of the attack from legitimate traffic so that the attack can be filtered out without much collateral damage. In this paper we explore the use of ACL rules that distinguish the attack packets from the legitimate traffic based on prefixes derived from models of the historic distribution of legitimate packet source
addresses. One advantage of this defense is that these ACL rules can be deployed in routers deep in the network where the attack isn't large enough to cause loss
of legitimate traffic due to congestion. The most important disadvantage is that these ACL, rules can also cause collateral damage by discarding some legitimate
traffic. We use simulations to study this damage. We examine the effect of various factors: magnitude of attacks, attack strategy, degree of network overprovisioning, number of ACL rules used, service targeted (web, email, DNS), and algorithm for generating ACL rules. Fol attacks 100 times larger than the link capacity provisioned to match peak traffic we applied SAPF to reduce
the total traffic to within 1ink capacity and it discarded on average 54% of the legitimate traffic for a mail server and 67% for a web server. For smaller attacks of only 5 times the link capacity the collateral damage was 8% and 31% respectively.
Permanent Link
http://digital.library.wisc.edu/1793/60476Citation
TR1547