2nd International ICST Conference on Security and Privacy in Comunication Networks

Research Article

Protecting Against Distributed Denial of Service (DDoS) Attacks Using Distributed Filtering

  • @INPROCEEDINGS{10.1109/SECCOMW.2006.359548,
        author={Jonathan  Trostle},
        title={Protecting Against Distributed Denial of Service (DDoS) Attacks Using Distributed Filtering},
        proceedings={2nd International ICST Conference on Security and Privacy in Comunication Networks},
        publisher={IEEE},
        proceedings_a={SECURECOMM},
        year={2007},
        month={5},
        keywords={},
        doi={10.1109/SECCOMW.2006.359548}
    }
    
  • Jonathan Trostle
    Year: 2007
    Protecting Against Distributed Denial of Service (DDoS) Attacks Using Distributed Filtering
    SECURECOMM
    IEEE
    DOI: 10.1109/SECCOMW.2006.359548
Jonathan Trostle1
  • 1: ASK Consulting and Research, Inc.

Abstract

We present a new scheme, distributed filtering service or DFS, for protecting services against distributed denial of service (DDoS) attacks. Our system is proactive and requires no changes to the Internet core, and no changes to existing ISP routers. DFS can be deployed incrementally, and benefits are obtained immediately. The key to our approach is forcing traffic destined for protected services to widely dispersed filtering points on the Internet, using IP anycast. DFS requires no unicast address nodes that can be targetted by an attacker; we are unaware of any other DDoS defensive system with this property. We also use two other techniques that have not been well used in DDoS defensive systems: key logging and the IPsec replay window. For the latter, we model attacks and give lower bounds for its effectiveness. We analyze DFS's resistance against large scale DDoS flooding attacks; DFS offers relatively strong protection against DDoS attacks