Abstract
Multiple bandwidth reservation mechanisms based on network capability have been proposed to resolve Distributed Denial of Service (DDoS) attacks towards the transit-link. However, previous capability-based techniques are insufficient to provide accurate protection towards legitimate users of contaminated domains. In this paper, we present FIBA, an intra-domain bandwidth allocation mechanism with fine-grained accessing control granularity. FIBA enables source domains to locally differentiate the capability requests by state measuring according to two attributing factors. Moreover, FIBA can establish hierarchical channels for capability requesting packets to realize the isolation of traffic from the same source domain. Our scheme is integrated with existing methods and can be optionally deployed by source domains. Finally, through network experiments, we evaluate FIBA can realize user-level DDoS protection even in 90%-contaminated domain.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For example, 2-state tag problem is to find an interger number a to minimize \(H(\{A_{i,j}|A_{i,j}\le a\})+H(\{A_{i,j}|A_{i,j}>a\})\). Also, the source AS can determine by itself.
References
Autonomous system numbers (2016). http://www.iana.org/ assignments/as-numbers/as-numbers.xhtml
Bene: A python network simulator (2017). https://github.com/zappala/bene
AS relationships (2020). https://www.caida.org/data/as-relationships/
AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever, June 2020. https://www.zdnet.com/article/aws-said-it-mitigated-a-2-3-tbps-ddos-attack-the-largest-ever/
DDoS attacks rise in intensity, sophistication and volume, September 2020. https://www.helpnetsecurity.com/2020/09/17/ddos-attacks-rise-in-intensity-sophistication-and-volume/
Andersen, D.G., Balakrishnan, H., Feamster, N., Koponen, T., Shenker, S.: Accountable internet protocol (aip). In: Proceedings of the ACM SIGCOMM 2008 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Seattle, 17–22, August 2008
Basescu, C., et al.: SIBRA: scalable internet bandwidth reservation architecture. In: Proceedings NDSS, San Diego, February 2016
Bennett, J.C.R., Zhang, H.: Hierarchical packet fair queueing algorithms. IEEE/ACM Trans. Netw. 5(5), 675–689 (2002)
Bonacich, P.: Factoring and weighting approaches to status scores and clique identification. J. Math. Soc. 2(1), 113–120 (1972)
Estrada, E., Rodriguez-Velazquez, J.A.: Subgraph centrality in complex networks. Phys. Rev. E Stat. Nonlin. Soft Matter Phys. 71(5), 056103 (2005)
Godfrey, P., Ganichev, I., Shenker, S., Stoica, I.: Pathlet routing. ACM SIGCOMM Comput. Commun. Rev. 39(4), 111–122 (2009)
Heer, H.: Host identity protocol certificates draft-ietf-hip-cert-12. Technology (2011)
Kalkan, K., Alagöz, F.: A distributed filtering mechanism against DDoS attacks. Comput. Netw. 108, 199–209 (2016). https://doi.org/10.1016/j.comnet.2016.08.023
Kang, M.S., Lee, S.B., Gligor, V.D.: The crossfire attack. In: Proceedings IEEE S&P, pp. 127–141, Berkeley, May 2013
Kim, T.H.J., Basescu, C., Jia, L., Lee, S.B., Hu, Y.C., Perrig, A.: Lightweight source authentication and path validation. In: Proceedings ACM SIGCOMM, pp. 271–282, Chicago, August 2014
Kim, Y., Lau, W.C., Chuah, M.C., Chao, H.J.: Packetscore: a statistics-based packet filtering scheme against distributed denial-of-service attacks. IEEE Trans. Dependable Secure Comput. 3(2), 141–155 (2006)
Kitsak, M., et al.: Identification of influential spreaders in complex networks. Nat. Phys. 6, 888–893 (2010)
Lee, S.B., Gligor, V.D.: Floc : dependable link access for legitimate traffic in flooding attacks. In: IEEE International Conference on Distributed Computing Systems (2010)
Morone, F., Makse, H.A.: Influence maximization in complex networks through optimal percolation. Nature 524(7563), 65 (2015)
Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., Hu, Y.C.: Portcullis: protecting connection setup from denial-of-capability attacks. ACM SIGCOMM Comput. Commun. Rev. 37(4), 289–300 (2007). https://doi.org/10.1145/1282427.1282413
Rekhter, Y., Li, T.: A border gateway protocol 4 (BGP-4). RFC 1771, March 1995
Rouse, M.: ICANN (Internet Corporation for Assigned Names and Numbers) (2016). http://searchsoa.techtarget.com/definition/ ICANN
Steve, H., Jun, D.: Understanding network concepts in modules. BMC Syst. Biol. 1(1), 24 (2007)
Studer, A., Perrig, A.: The coremelt attack. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 37–52. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04444-1_3
Touch, J.: Updated specification of the IPv4 ID field. RFC 6864, February 2013
Xiao, P., Li, Z., Qi, H., Qu, W., Yu, H.: An efficient DDoS detection with bloom filter in SDN. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 1–6. IEEE (2016)
Xie, L., Zhang, Y., Zheng, Z., Zhang, X.: TRIP: a tussle-resistant internet pricing mechanism. IEEE Commun. Lett. 21(2), 270–273 (2017)
Yaar, A., Perrig, A., Song, D.: SIFF: a stateless internet flow filter to mitigate DDoS flooding attacks. In: IEEE Symposium on Security and Privacy, 2004. Proceedings, 2004, pp. 130–143 (2004)
Yang, X., Wetherall, D., Anderson, T.: Tva: a dos-limiting network architecture. IEEE ACM Trans. Netw. 16(6), 1267–1280 (2008)
Zhang, X., Xie, L., Yao, W.: Spatio-temporal heterogeneous bandwidth allocation mechanism against DDoS attack. J. Netw. Comput. Appl. 162, 102658 (2020)
Zhang, Y., Wang, X., Perrig, A., Zheng, Z.: Tumbler: adaptable link access in the bots-infested internet. Comput. Netw. 105, 180–193 (2016)
Zhang, Y., Xie, L., Zhang, D., Liu, G., Wang, Q.: Scalable bandwidth allocation based on domain attributes: towards a DDoS-resistant data center. In: Proceedings IEEE GLOBECOM, pp. 1–6, Singapore, December 2017
Acknowledgement
This work is supported by National Key Research and Development Program of China (2020YFB1005702).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Xie, L., Zhao, S., Zhang, X., Shi, Y., Xiao, X., Zheng, Z. (2021). Fine-Grained Intra-domain Bandwidth Allocation Against DDoS Attack. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 398. Springer, Cham. https://doi.org/10.1007/978-3-030-90019-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-90019-9_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90018-2
Online ISBN: 978-3-030-90019-9
eBook Packages: Computer ScienceComputer Science (R0)