On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets

Kihong Park, Heejo Lee

Research output: Contribution to journalConference article

258 Citations (Scopus)

Abstract

Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology. The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized - i.e., IP traceback - to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.

Original languageEnglish
Pages (from-to)15-26
Number of pages12
JournalComputer Communication Review
Volume31
Issue number4
DOIs
Publication statusPublished - 2001
EventACM SIGCOMM 2001- Applications, Technologies, Architectures, and Protocols for Computers Communications- - San Diego, CA, United States
Duration: 2001 Aug 272001 Aug 31

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets'. Together they form a unique fingerprint.

  • Cite this