30-08-2011, 10:07 AM
Abstract
Distributed Denial of Service (DDoS) attacks are a persistent, current, and very real threat to networks. Expanding upon a flexible distributed framework for network remediation utilising multiple strategies, we examine a novel fusion of methods to maximise throughput from legitimate clients and minimise the impact from attackers. The basic approach is to build up a whitelist of likely legitimate clients by observing outgoing traffic, presenting a challenge though proof-of-work, and providing flow cookies. Traffic that does not match the expected profile is likely attack traffic, and can be heavily filtered during attack conditions. After we incrementally develop this approach, we explore the positive and negative impacts of this approach upon the network and analyse potential countermeasures.
1. Introduction
The INTERSECTION project, funded by the European Commission, has created an open, distributed, self-regulating framework for network intrusion tolerance. Network measurement, intrusion detection, and event remediation are all carried out by independent systems, loosely coupled. Our chief concern is with event remediation: to carry out temporary actions on the network in response to externally-detected intrusion events, and to withdraw thise actions when the event has passed. This remediation system was previously described in [4]. This paper looks further into specific strategies we employ within this architecture in response to bandwidth-starvation DDoS attacks, which represent a class of attack which is notably challenging for network remediation.
1.1. Observations of bandwidth-saturation DDoS
The scope of this paper is limited to remedying bandwidth-saturation attacks. While traffic of such an attack spans the Internet, we note that:
1. The direct victims of the attack are typically the uplinks of the edge networks hosting target nodes (those which are addressed by the attack packets). The indirect (and probably intended) victims are the nodes normally reachable through such networks.
2. Core networks are extremely over-provisioned, so they are not particularly vulnerable to volumebased attacks. Nor are they likely intended victims, as crippling them would probably harm the unrelated interests of the attacker.
3. Edge networks hosting attacking nodes are not direct victims, as those nodes are generating relatively small amounts of traffic individually, while the target networks are receiving many coalesced attacking flows. Any solution to this form of DDoS must take steps to reduce attack traffic somewhere in the path ahead of the victim links. However, any network that carries general traffic has an intrinsic vulnerability, which the attacker is exploiting.
Download full report
http://googleurl?sa=t&source=web&cd=1&ve...remedy.pdf&ei=mGhcTvH1KZGvrAfnjpGWDw&usg=AFQjCNEOCV-kkKTwu5O9GEhp92d7jhuRXg