FAIR: Forwarding Accountability for Internet Reputability

This paper presents FAIR, a forwarding accountability mechanism that incentivizes ISPs to apply stricter security policies to their customers. The Autonomous System (AS) of the receiver specifies a traffic profile that the sender AS must adhere to. Transit ASes on the path mark packets. In case of traffic profile violations, the marked packets are used as a proof of misbehavior. FAIR introduces low bandwidth overhead and requires no per-packet and no per-flow state for forwarding. We describe integration with IP and demonstrate a software switch running on commodity hardware that can switch packets at a line rate of 120 Gbps, and can forward 140M minimum-sized packets per second, limited by the hardware I/O subsystem. Moreover, this paper proposes a "suspicious bit" for packet headers - an application that builds on top of FAIR's proofs of misbehavior and flags packets to warn other entities in the network.Comment: 16 pages, 12 figure

An Enhanced Entropy Approach to Detect and Prevent DDoS in Cloud Environment

Distributed Denial of Service (DDoS) attack launched in Cloud computing environment resulted in loss of sensitive information, Data corruption and even rarely lead to service shutdown. Entropy based DDoS mitigation approach analyzes the heuristic data and acts dynamically according to the traffic behavior to effectively segregate the characteristics of incoming traffic. Heuristic data helps in detecting the traffic condition to mitigate the flooding attack. Then, the traffic data is analyzed to distinguish legitimate and attack characteristics. An additional Trust mechanism has been deployed to differentiate legitimate and aggressive legitimate users. Hence, Goodput of Datacenter has been improved by detecting and mitigating the incoming traffic threats at each stage. Simulation results proved that the Enhanced Entropy approach behaves better at DDoS attack prone zones. Profit analysis also proved that the proposed mechanism is deployable at Datacenter for attack mitigation and resource protection which eventually results in beneficial service at slenderized revenu

"LUDO" - Kids playing Distributed Denial of Service

Distributed denial of service attacks pose a serious threat to the availability of the network infrastructures and services. GE̿ANT, the pan-European network with terabit capacities witnesses close to hundreds of DDoS attacks on a daily basis. The reason is that DDoS attacks are getting larger, more sophisticated and frequent. At the same time, it has never been easier to execute DDoS attacks, e.g., Booter services offer paying customers without any technical knowledge the possibility to perform DDoS attacks as a service. Given the increasing size, frequency and complexity of DDoS attacks, there is a need to perform a collaborative mitigation. Therefore, we developed (i) a DDoSDB to share real attack data and allow collaborators to query, compare, and download attacks, (ii) the Security attack experimentation framework to test mitigation and response capabilities and (iii) a collaborative mitigation and response process among trusted partners to disseminate security event information. In addition to these developments, we present and would like to discuss our latest research results with experienced networking operators and bridging the gap between academic research and operational business