Denial of Service (DoS) attacks are one of the most challenging threats to
Internet security. An attacker typically compromises a large number of
vulnerable hosts and uses them to flood the victim's site with malicious
traffic, clogging its tail circuit and interfering with normal traffic. At
present, the network operator of a site under attack has no other resolution
but to respond manually by inserting filters in the appropriate edge routers to
drop attack traffic. However, as DoS attacks become increasingly sophisticated,
manual filter propagation becomes unacceptably slow or even infeasible.
  In this paper, we present Active Internet Traffic Filtering, a new automatic
filter propagation protocol. We argue that this system provides a guaranteed,
significant level of protection against DoS attacks in exchange for a
reasonable, bounded amount of router resources. We also argue that the proposed
system cannot be abused by a malicious node to interfere with normal Internet
operation. Finally, we argue that it retains its efficiency in the face of
continued Internet growth.Comment: Briefly describes the core ideas of AITF, a protocol for facing
  Denial of Service Attacks. 6 pages lon

Argyraki, Katerina J.

Cheriton, David R.

English

arXiv

K. Argyraki

D.R. Cheriton

Crossref

Scalable Network-Layer Defense Against Internet Bandwidth-Flooding Attacks

In a bandwidth-flooding attack, compromised sources send high-volume traffic to the target with the purpose of causing congestion in its tail circuit and disrupting its legitimate communications. In this paper, we present Active Internet Traffic Filtering (AITF), a network-layer defense mechanism against such attacks. AITF enables a receiver to contact misbehaving sources and ask them to stop sending it traffic; each source that has been asked to stop is policed by its own Internet service provider (ISP), which ensures its compliance. An ISP that hosts misbehaving sources either supports AITF (and accepts to police its misbehaving clients), or risks losing all access to the complaining receiver---this is a strong incentive to cooperate, especially when the receiver is a popular public-access site. We show that AITF preserves a significant fraction of a receiver's bandwidth in the face of bandwidth flooding, and does so at a per-client cost that is already affordable for today's ISPs; this per-client cost is not expected to increase, as long as botnet-size growth does not outpace Moore's law. We also show that even the first two networks that deploy AITF can maintain their connectivity to each other in the face of bandwidth flooding. We conclude that the network-layer of the Internet can provide an effective, scalable, and incrementally deployable solution against bandwidth-flooding attacks.NA

Argyraki, Katerina

Infoscience - École polytechnique fédérale de Lausanne

Scalable Network-layer Defense Against Internet Bandwidth-Flooding Attacks

Active Internet Traffic Filtering: Real-time Response to Denial of
  Service Attacks

Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks

Abstract

Similar works

Full text

Available Versions

Crossref

Infoscience - École polytechnique fédérale de Lausanne