• DocumentCode
    2132440
  • Title

    Joint Application and Network Defense against DDoS Flooding Attacks in the Future Internet

  • Author

    Karrer, Roger P. ; Kuehn, Ulrich ; Huehn, Thomas

  • Author_Institution
    Deutsche Telekom Labs., Tech. Univ. Berlin, Berlin, Germany
  • Volume
    1
  • fYear
    2008
  • fDate
    13-15 Dec. 2008
  • Firstpage
    11
  • Lastpage
    16
  • Abstract
    The threat of denial of service flooding attacks in the Internet is rapidly increasing. Especially the use of techniques that allow attackers to hide their attack traffic raises concerns: attack distribution and rotation in botnets to obfuscate senders, low-rate bandwidth attacks, and attacks that mimic realistic patterns such as flash crowds. The defense against such attacks is limited due to a deadlock: the attacks must be stopped inside the network, but the network is unable to distinguish legitimate and unsolicited traffic. In contrast, end systems may distinguish legitimate users from bots, but are unable to stop the attacks inside the network. This paper advocates for a joint end system-network defense to address such attacks in the future. Edge-based capabilities (EC) is a novel framework that combines end-to-end authentication with network-based control. Applications authenticate legitimate senders and issue capabilities to tag their packets, and the network filters out untagged packets. This paper describes the mechanisms that make EC a secure, efficient, and scalable solution. Moreover, we argue that EC is an attractive solution because it can be incrementally deployed and because it provides the right incentives to users, servers, and ISPs.
  • Keywords
    Internet; telecommunication security; telecommunication traffic; DDoS flooding attack; Internet; attack traffic; botnets; edge-based capabilities; end-to-end authentication; network defense; network filter; network-based control; Authentication; Bandwidth; Communication system traffic control; Computer crime; Filters; Floods; IP networks; System recovery; Telecommunication traffic; Web and internet services; DDos; Edgebased Capabilities;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Future Generation Communication and Networking, 2008. FGCN '08. Second International Conference on
  • Conference_Location
    Hainan Island
  • Print_ISBN
    978-0-7695-3431-2
  • Type

    conf

  • DOI
    10.1109/FGCN.2008.168
  • Filename
    4734048