Abstract :
Flooding-based distributed denial-of-service (DoS) attack presents a very serious threat to the stability of the Internet. However, current intrusion detection is unreliable and may have high false-positives. Rate-limiting is a better-suited response than complete filtering. Filtering out all the traffic to the victim would greatly damage misclassified flows, whereas rate-limiting still allows some packets to reach the destination and thus keeps connection alive. Allowing some attack packets through is acceptable, since the attack´s overall impact depends on the volume of the attack packets. Moreover, if the flow-rate of low-priority is reduced, the high-priority flow would get more chances to access the server they share, which eventually reduce the congestion and improve the throughput of the high-priority flow. Based on tie concept of flow aggregation management architecture (Sui Song, et al., April 2006), we present a flow-based congestion control (FCC) architecture that consists of a flow-based quality-of-service (FQoS) regulator and PID controller. The whole system adopts a control-theoretic approach to adjust the traffic rate of every link (or server) so as to maintain the traffic rates at their desired level. In order to provide more fine-grained differentiated services (or flows) with different weight and maximally limit malicious services (or flows), we propose multilevel packet classification structure. Moreover, in order maximally to block flooding, the flow-based network intrusion detection (Sui Song, et al., April 2006) is used to classify each flow in the network into different priority classes and give different treatment to the flow-rates belonging to different classes. The architecture is shown to be highly flexible service differentiation and robust against different types of flooding attacks, and traditional network traffic control can be implemented using one common framework. This system has been evaluated by using simulated test-bed data. Res- - ults showed the success that the system mitigates bandwidth flooding attacks
Keywords :
Internet; quality of service; security of data; stability; telecommunication congestion control; telecommunication security; three-term control; Internet; PID control; bandwidth attacks; flooding-based distributed denial-of-service attack; flow control; flow-based congestion control; flow-based quality-of-service; intrusion detection; multilevel packet classification; rate-limiting; stability; Bandwidth; Computer crime; File servers; Information filtering; Information filters; Internet; Intrusion detection; Quality management; Stability; Throughput;
