2nd International ICST Conference on Security and Privacy in Comunication Networks

Research Article

On Filtering of DDoS Attacks Based on Source Address Prefixes

  • @INPROCEEDINGS{10.1109/SECCOMW.2006.359537,
        author={Gary   Pack  and Cristian  Estan and Eli Collins and Jaeyoung  Yoon },
        title={On Filtering of DDoS Attacks Based on Source Address Prefixes},
        proceedings={2nd International ICST Conference on Security and Privacy in Comunication Networks},
        publisher={IEEE},
        proceedings_a={SECURECOMM},
        year={2007},
        month={5},
        keywords={},
        doi={10.1109/SECCOMW.2006.359537}
    }
    
  • Gary Pack
    Cristian Estan
    Eli Collins
    Jaeyoung Yoon
    Year: 2007
    On Filtering of DDoS Attacks Based on Source Address Prefixes
    SECURECOMM
    IEEE
    DOI: 10.1109/SECCOMW.2006.359537
Gary Pack 1, Cristian Estan1, Eli Collins1, Jaeyoung Yoon 1
  • 1: Dept. of Comput. Sci., Wisconsin Univ., Madison, WI

Abstract

Distributed denial of service (DDoS) attacks are a grave threat to Internet services and even to the network itself. Widely distributed "zombie" computers subverted by malicious hackers are used to orchestrate massive attacks. Any defense against such flooding attacks must solve the hard problem of distinguishing the packets that are part of the attack from legitimate traffic, so that the attack can be filtered out without much collateral damage. We explore one technique that can be used as part of DDoS defenses: using ACL rules that distinguish the attack packets from the legitimate traffic based on source addresses in packets. One advantage of this technique is that the ACL rules can be deployed in routers deep inside the network where the attack isn't large enough to cause loss of legitimate traffic due to congestion. The most important disadvantage is that the ACL rules can also cause collateral damage by discarding some legitimate traffic. We use simulations to study this damage how it is influenced by various factors. Our technique is much better than uninformed dropping due to congestion, but it produces larger collateral damage than more processing-intensive approaches. For example it can reduce the attack size by a factor of 3 while also dropping between 2% and 10% of the legitimate traffic. We recommend the use of source address prefix based filtering in combination with other techniques, for example as a coarse pre-filter that ensures that devices performing the processing-intensive filtering are not overwhelmed