Investigation of pushback based detection and prevention of network bandwidth attacks

Pushback approach has been applied for the detection and prevention against DDoS attacks by identifying the destination IP addresses in the dropped packets when congestion happens. The identified destination IP addresses are used to guide the subsequent packet dropping at both local router and upstream routers so that the total bandwidth can be controlled within a desired range. This paper investigates an application of pushback approach for the detection and prevention of more general network bandwidth attacks based on the profiles of destination port distribution instead of destination IP addresses. The new approach can be used to detect and prevent against the attacks like Internet worms. The investigation applies the long trace dataset of NLANR - CESCA-I and an Internet Worm Propagation simulator to simulate the generation of profiles and the detection of the Internet CodeRed worm. The dataset statistics and simulation results demonstrate the effectiveness of the new approach in the detection and prevention of Internet worms.