Abstract
We present a DDoS mitigation mechanism dispatching suspicious and legitimate traffic into separate MultiProtocol Label Switching (MPLS) tunnels, well upstream from the target. The objective is to limit the impact a voluminous attack could otherwise have on the legitimate traffic through saturation of network resources. The separation of traffic is based on a signature identifying suspicious flows, carried in an MPLS label, and then used by a load-balancing mechanism in a router. The legitimite traffic is preserved at the expense of suspcious flows, whose resource allocations are throttled as needed to avoid congestion.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Cisco Security Intelligence Operations: Cisco 2014 Annual Security Report. Technical report, Cisco (2014)
Prince, M.: Technical details behind a 400gbps NTP amplification DDoS attack
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: NDSS. The Internet Society (2014)
Casado, M., Cao, P., Akella, A., Provos, N.: Flow-cookies: using bandwidth amplification to defend against DDoS flooding attacks. Quality of Service - IWQoS 2006, pp. 286–287 (2006)
Greenhalgh, A., Handley, M., Huici, F.: Using routing and tunneling to combat DoS attacks. In: SRUTI. USENIX Association (2005)
Abujoda, A., Papadimitriou, P.: Midas: middlebox discovery and selection for on-path flow processing. In: COMSNETS, pp. 1–8. IEEE (2015)
Mahimkar, A., Dange, J., Shmatikov, V., Vin, H.M., Zhang, Y.: dFence: transparent network-based Denial of Service mitigation. In: NSDI. USENIX (2007)
Qazi, Z.A., Tu, C.C., Chiang, L., Miao, R., Sekar, V., Yu, M.: SIMPLE-fying middlebox policy enforcement using SDN. In: ACM SIGCOMM 2013 Conference
Paxson, V.: An analysis of using reflectors for distributed Denial-of-Service attacks. Comput. Commun. Rev. 31(3), 38–47 (2001)
Cisco, I.: Unicast reverse path forwarding (1999)
Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827, May 2000
Systems, C.: Remotely triggered black hole filtering - destination based and source based. Technical report, Cisco Systems (2005)
Fung, C.J., McCormick, B.: VGuard: a distributed denial of service attack mitigation method using network function virtualization. In: Network and Service Management (CNSM), pp. 64–70, November 2015
Hachem, N., Debar, H., García-Alfaro, J.: HADEGA: a novel MPLS-based mitigation solution to handle network attacks. In: IPCCC, pp. 171–180. IEEE (2012)
Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF). RFC 4765 (Experimental), March 2007
Teague, N.: Open threat signaling using RPC API over HTTPS and IPFIX. Internet-Draft draft-teague-open-threat-signaling-01, IETF Secretariat, July 2015
Cisco, I.: Netflow (2008)
Traffic monitoring using sflow (2003)
Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP Flow Information Export. RFC 5470, March 2009
Baker, Z.K., Prasanna, V.K.: Time and area efficient pattern matching on FPGAs. In: Tessier, R., Schmit, H. (eds.) FPGA, pp. 223–232. ACM (2004)
Roesch, M.: Snort: lightweight intrusion detection for networks. In: Parter, D.W. (ed.) LISA, pp. 229–238. USENIX (1999)
Vordos, I.: Mitigating distributed denial of service attacks with multi-protocol label switching-traffic engineering (MPLS-TE). Ph.D. thesis, Naval Postgraduate School (2009)
Understanding ACL on catalyst 6500 series switches. Technical report, Cisco
Dharmapurikar, S., Krishnamurthy, P., Taylor, D.E.: Longest prefix matching using bloom filters. IEEE/ACM Trans. Netw. 14(2), 397–409 (2006)
Chan, E.Y.K., et al.: IDR: an intrusion detection router for defending against distributed denial-of-service (DDOS) attacks. In: ISPAN, pp. 581–586. IEEE Computer Society (2004)
Cohen, S., Matias, Y.: Spectral Bloom filters. In: Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, SIGMOD 2003, pp. 241–252. ACM, New York (2003)
Wang, H., Shin, K.G.: Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks. IEEE Trans. Parallel Distrib. Syst. 14(9), 873–884 (2003)
Menth, M., Reifert, A., Milbrandt, J.: Self-protecting multipaths — a simple and resource-efficient protection switching mechanism for MPLS networks. In: Mitrou, N., Kontovasilis, K., Rouskas, G.N., Iliadis, I., Merakos, L. (eds.) NETWORKING 2004. LNCS, vol. 3042, pp. 526–537. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24693-0_44
Kazmi, N.A., Koster, A.M.C.A., Branke, J.: Formulations and algorithms for the multi-path selection problem in network routing. In: ICUMT, pp. 738–744. IEEE (2012)
Murthy, S., Garcia-Luna-Aceves, J.J.: Congestion-oriented shortest multipath routing. In: Proceedings IEEE INFOCOM 1996, pp. 1028–1036. IEEE (1996)
Zhang, J., Xi, K., Zhang, L., Chao, H.J.: Optimizing network performance using weighted multipath routing. In: 21st International Conference on Computer Communications and Networks (ICCCN), 2012, pp. 1–7, July 2012
Rosen, E., Viswanathan, A., Callon, R.: Multiprotocol Label Switching Architecture. RFC 3031, January 2001
Awduche, D., Malcolm, J., Agogbua, J., O’Dell, M., McManus, J.: Requirements for Traffic Engineering Over MPLS. RFC 2702 (Informational), September 1999
Faucheur, F.L., et al.: Multi-Protocol Label Switching (MPLS) Support of Differentiated Services. RFC 3270, May 2002
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)
Fan, L., Cao, P., Almeida, J.M., Broder, A.Z.: Summary cache: a scalable wide-area web cache sharing protocol. In: SIGCOMM, pp. 254–265 (1998)
Cisco: Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2 - Policing and Shaping Overview
Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. In: CoNEXT, p. 8. ACM (2010)
Acknowledgement
This research is supported by the European Seventh Framework Programme (FP7) and by the Japanese Ministry of Internal Affairs and Communication (MIC) during the project NECOMA under grant agreement No 608533, and by the French research program Programme d’Investissements d’Avenir (PIA) during the project SIEM+ under grant agreement P111271-3583256.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Fabre, PE., Debar, H., Viinikka, J., Blanc, G. (2016). ML: DDoS Damage Control with MPLS. In: Brumley, B., Röning, J. (eds) Secure IT Systems. NordSec 2016. Lecture Notes in Computer Science(), vol 10014. Springer, Cham. https://doi.org/10.1007/978-3-319-47560-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-47560-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47559-2
Online ISBN: 978-3-319-47560-8
eBook Packages: Computer ScienceComputer Science (R0)