• Login
    View Item 
    •   MINDS@UW Home
    • MINDS@UW Madison
    • College of Letters and Science, University of Wisconsin–Madison
    • Department of Computer Sciences, UW-Madison
    • CS Technical Reports
    • View Item
    •   MINDS@UW Home
    • MINDS@UW Madison
    • College of Letters and Science, University of Wisconsin–Madison
    • Department of Computer Sciences, UW-Madison
    • CS Technical Reports
    • View Item
    JavaScript is disabled for your browser. Some features of this site may not work without it.

    On Filtering of DDoS Attacks Based on Source Address Prefixes

    Thumbnail
    File(s)
    TR1547.pdf (2.856Mb)
    Date
    2005
    Author
    Pack, Gary
    Yoon, Jaeyoung
    Collins, Eli
    Estan, Cristian
    Publisher
    University of Wisconsin-Madison Department of Computer Sciences
    Metadata
    Show full item record
    Abstract
    Distributed denial of service (DDoS) attacks are a grave threat to Internet services and even to the network itself. Widely distributed "zombie" computers subverted by malicious hackers are used to orchestrate massive attacks. Despite significant research efforts and the existence of a wide range of commercial products defending against them, DDoS attacks are still a concern for most network operators and companies relying on the Internet. A particularly hard problem is distinguishing the packets that are part of the attack from legitimate traffic so that the attack can be filtered out without much collateral damage. In this paper we explore the use of ACL rules that distinguish the attack packets from the legitimate traffic based on prefixes derived from models of the historic distribution of legitimate packet source addresses. One advantage of this defense is that these ACL rules can be deployed in routers deep in the network where the attack isn't large enough to cause loss of legitimate traffic due to congestion. The most important disadvantage is that these ACL, rules can also cause collateral damage by discarding some legitimate traffic. We use simulations to study this damage. We examine the effect of various factors: magnitude of attacks, attack strategy, degree of network overprovisioning, number of ACL rules used, service targeted (web, email, DNS), and algorithm for generating ACL rules. Fol attacks 100 times larger than the link capacity provisioned to match peak traffic we applied SAPF to reduce the total traffic to within 1ink capacity and it discarded on average 54% of the legitimate traffic for a mail server and 67% for a web server. For smaller attacks of only 5 times the link capacity the collateral damage was 8% and 31% respectively.
    Permanent Link
    http://digital.library.wisc.edu/1793/60476
    Citation
    TR1547
    Part of
    • CS Technical Reports

    Contact Us | Send Feedback
     

     

    Browse

    All of MINDS@UWCommunities & CollectionsBy Issue DateAuthorsTitlesSubjectsThis CollectionBy Issue DateAuthorsTitlesSubjects

    My Account

    LoginRegister

    Contact Us | Send Feedback