On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets

Kihong Park, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

250 Citations (Scopus)

Abstract

Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology. The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized - i.e., IP traceback - to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.

Original languageEnglish
Title of host publicationComputer Communication Review
Pages15-26
Number of pages12
Volume31
Edition4
DOIs
Publication statusPublished - 2001
Externally publishedYes
EventACM SIGCOMM 2001- Applications, Technologies, Architectures, and Protocols for Computers Communications- - San Diego, CA, United States
Duration: 2001 Aug 272001 Aug 31

Other

OtherACM SIGCOMM 2001- Applications, Technologies, Architectures, and Protocols for Computers Communications-
CountryUnited States
CitySan Diego, CA
Period01/8/2701/8/31

Fingerprint

Internet
Topology
Scalability
Denial-of-service attack

ASJC Scopus subject areas

  • Information Systems

Cite this

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. / Park, Kihong; Lee, Heejo.

Computer Communication Review. Vol. 31 4. ed. 2001. p. 15-26.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Park, K & Lee, H 2001, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. in Computer Communication Review. 4 edn, vol. 31, pp. 15-26, ACM SIGCOMM 2001- Applications, Technologies, Architectures, and Protocols for Computers Communications-, San Diego, CA, United States, 01/8/27. https://doi.org/10.1145/964723.383061
@inproceedings{6c2cb5a1df684fcb8c8cb4c605dd6d19,
title = "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets",
abstract = "Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology. The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized - i.e., IP traceback - to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20{\%} of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.",
author = "Kihong Park and Heejo Lee",
year = "2001",
doi = "10.1145/964723.383061",
language = "English",
volume = "31",
pages = "15--26",
booktitle = "Computer Communication Review",
edition = "4",

}

TY - GEN

T1 - On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets

AU - Park, Kihong

AU - Lee, Heejo

PY - 2001

Y1 - 2001

N2 - Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology. The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized - i.e., IP traceback - to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.

AB - Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology. The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized - i.e., IP traceback - to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.

UR - http://www.scopus.com/inward/record.url?scp=0034776786&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0034776786&partnerID=8YFLogxK

U2 - 10.1145/964723.383061

DO - 10.1145/964723.383061

M3 - Conference contribution

VL - 31

SP - 15

EP - 26

BT - Computer Communication Review

ER -