Show simple item record

dc.contributor.authorPack, Garyen_US
dc.contributor.authorYoon, Jaeyoungen_US
dc.contributor.authorCollins, Elien_US
dc.contributor.authorEstan, Cristianen_US
dc.date.accessioned2012-03-15T17:19:52Z
dc.date.available2012-03-15T17:19:52Z
dc.date.created2005en_US
dc.date.issued2005en_US
dc.identifier.citationTR1547en_US
dc.identifier.urihttp://digital.library.wisc.edu/1793/60476
dc.description.abstractDistributed denial of service (DDoS) attacks are a grave threat to Internet services and even to the network itself. Widely distributed "zombie" computers subverted by malicious hackers are used to orchestrate massive attacks. Despite significant research efforts and the existence of a wide range of commercial products defending against them, DDoS attacks are still a concern for most network operators and companies relying on the Internet. A particularly hard problem is distinguishing the packets that are part of the attack from legitimate traffic so that the attack can be filtered out without much collateral damage. In this paper we explore the use of ACL rules that distinguish the attack packets from the legitimate traffic based on prefixes derived from models of the historic distribution of legitimate packet source addresses. One advantage of this defense is that these ACL rules can be deployed in routers deep in the network where the attack isn't large enough to cause loss of legitimate traffic due to congestion. The most important disadvantage is that these ACL, rules can also cause collateral damage by discarding some legitimate traffic. We use simulations to study this damage. We examine the effect of various factors: magnitude of attacks, attack strategy, degree of network overprovisioning, number of ACL rules used, service targeted (web, email, DNS), and algorithm for generating ACL rules. Fol attacks 100 times larger than the link capacity provisioned to match peak traffic we applied SAPF to reduce the total traffic to within 1ink capacity and it discarded on average 54% of the legitimate traffic for a mail server and 67% for a web server. For smaller attacks of only 5 times the link capacity the collateral damage was 8% and 31% respectively.en_US
dc.format.mimetypeapplication/pdfen_US
dc.publisherUniversity of Wisconsin-Madison Department of Computer Sciencesen_US
dc.titleOn Filtering of DDoS Attacks Based on Source Address Prefixesen_US
dc.typeTechnical Reporten_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

  • CS Technical Reports
    Technical Reports Archive for the Department of Computer Sciences at the University of Wisconsin-Madison

Show simple item record