Title :
Protecting Against Distributed Denial of Service (DDoS) Attacks Using Distributed Filtering
Author :
Trostle, Jonathan
Author_Institution :
ASK Consulting and Research, Inc.
fDate :
Aug. 28 2006-Sept. 1 2006
Abstract :
We present a new scheme, distributed filtering service or DFS, for protecting services against distributed denial of service (DDoS) attacks. Our system is proactive and requires no changes to the Internet core, and no changes to existing ISP routers. DFS can be deployed incrementally, and benefits are obtained immediately. The key to our approach is forcing traffic destined for protected services to widely dispersed filtering points on the Internet, using IP anycast. DFS requires no unicast address nodes that can be targetted by an attacker; we are unaware of any other DDoS defensive system with this property. We also use two other techniques that have not been well used in DDoS defensive systems: key logging and the IPsec replay window. For the latter, we model attacks and give lower bounds for its effectiveness. We analyze DFS´s resistance against large scale DDoS flooding attacks; DFS offers relatively strong protection against DDoS attacks
Keywords :
IP networks; Internet; telecommunication network routing; telecommunication security; telecommunication traffic; DDoS defensive system; DDoS flooding attacks; IP anycast; IPsec replay window; ISP routers; Internet; distributed denial of service attacks; distributed filtering service; key logging; Amplitude shift keying; Computer crime; Floods; Information filtering; Information filters; Large-scale systems; Protection; Routing; Unicast; Web and internet services;
Conference_Titel :
Securecomm and Workshops, 2006
Conference_Location :
Baltimore, MD
Print_ISBN :
1-4244-0423-1
Electronic_ISBN :
1-4244-0423-1
DOI :
10.1109/SECCOMW.2006.359548
