Abstract
A Distributed Denial of Service (DDoCS) attack consumes the resources of a remote host or network by sending a massive amount ofIP packets from many distributed hosts. It is a pressing problem on the Internet as demonstrated by recent attacks on major e-commerce servers andISPs. Since the attack is distributed and the attack tools evolve at a rapid and alarming rate, an effective solution must be formulated using a distributed and adaptive approach. In this paper, we propose a countermeasure againstDDoCS attacks using a method we call Active Shaping. Our method employs the Active Networks technologies, which incorporates programmability into network nodes. The Active Networks technology enables us to deter congestion and bandwidth consumption of the backbone network caused byDDoCS attacks, and to prevent our system from dropping packets of legitimate users mistakenly. This paper introduces the concept of our method, system design and evaluates the effectiveness of our method using a prototype.
Resumé
Une attaque par saturation répartie consomme les ressources d’un hôte distant ou d’un réseau en envoyant un grand nombre de paquetsIP à partir de nombreux ordinateurs répartis. C’est un problème urgent sur l’Internet comme le montrent des attaques récentes contre des serveurs importants de commerce électronique et desFAI. Comme l’attaque est répartie et que les outils d’attaque évoluent rapidement et de façon alarmante, une solution efficace doit être formulée au moyen d’une approche répartie et adaptive. L’article propose une protection contre les attaques par saturation réparties qui utilise une méthode appelée régulation active. Cette méthode emploie des techniques de réseau actif où les nœuds du réseau sont programmables. Il est possible ainsi d’empêcher l’encombrement et la consommation de bande passante dans le réseau dorsal, dus aux attaques par saturation, et d’éviter l’élimination par erreur de paquets émis par les véritables utilisateurs. L’article introduit le principe de la méthode et la conception du système, puis évalue l’efficacité de la méthode au moyen d’un démonstrateur.
Similar content being viewed by others
References
Hustion (G.), Internet Performance Survival Guide: QoS Strategies for Multiservice Networks,ISBN: 0-471-37808-9, Wiley Computer Publishing, 2000.
Moore (D.),Voelker (G.),Savage (S.), Inferring Internet Denial-of-Service Activity,Proceedings of 2001 USENIX Security Symposium, pp. 9–22, Aug. 2001.
Scambray (J.), Mcclure (S.), Kurts (G.), Hacking Exposed: Network Security Secrets & Solutions, Second Edition, ISBN: 0-07-212748-1,McGraw Hill, U.S.A., 2001.
Karnouskos (S.), Dealing with Denial-of-Service Attacks in Agent-enabled Active and Programmable Infrastructures,Proceedings of the 25th Annual International Computer Software and Applications Conference (COMPSAC’01), pp. 445–450, Oct. 2001.
Kent (S.)And Atkinson (R.), Security Architecture for the Internet Protocol,RFC2401, Nov. 1998.
Dierks (T.),Allen (C.), TheTLS Protocol Version 1.0,RFC2246, Jan. 1999.
Ferguson (P.),Senie (D.), Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing,RFC2827, May 2000.
Psounis (K.), Active Networks: Applications, Security, Safety, and Architectures,IEEE Communications Surveys, pp. 2–16, 1st Quarter 1999.
Chen (E.),Fuji (H.), A Security Framework for Agent-Based Active Networks,Proceedings of M2USIC’2000, no 4–4, Petaling Jaya, Malaysia, Oct. 2000.
Schwartz (B.),Jackson (A.),Strayer (T.),Zhou (W.),Patridge (C.),Rockwell (R.), Smart Packets for Active Networks, Proceedings ofIEEE OPENARCH’99, pp. 90–97, Mar. 1999.
Wetherall (D.),Tennenhouse (D.), The ACTIVE_IP Option, 7thACM SIGOPS European Workshop, pp. 33–40, Sep. 1996.
Wetherall (D.),Guttag (J.),Tennenhouse (D.),ANTS: A Toolkit for Building and Dynamically Deploying Network Protocols, Proceedings ofIEEE OPENARCH ’98, pp. 117–129, Apr. 1998.
Decasper (D.),Plattner (B.), DAN: Distributed Code Cashing for Active Networks, Proceedings ofIEEE INFOCOM ’98, pp. 609–616, Apr. 1998.
Gunter (C.), Nettles (S.), Smith (J.), The Switch Ware Active Network Architecture,IEEE Network Magazine,12, no 3., pp. 29–36, May/Jun. 1998.
Silva (S.), Yemini (Y.), Florissi (D.), The NetScript Active Network System,IEEE Journal on Selected Areas in Communications,19, no 3, pp. 538–551, Mar. 2001.
Kind (A.), The Role of Network Processors in Active Networks, Proceedings ofANTA 2002, pp. 51–56, Mar. 2002.
Floyd (S.), Jacobson (V.), Link-sharing and Resource Management Models for Packet Networks,IEEE/ACM Transactions on Networking,3, no 4, pp. 365–386, Aug. 1995.
Schnackenberg (D.),Djahandari (K.),Sterne (D.), Infrastructure for intrusion detection and response, Proceedings of theDARPA Information Survivability Conference and Exposition (DISCEX) pp. 1003–1011, Jan. 2000.
Mahajan (R.) Bellovin (M. S.), Floyd (S.), Ioannidis (J.), Paxson (V.), Shenker (S.), Controlling High Bandwidth Aggregates in the Network”,SIGCOMM Computer Communication Review,32, no 3, pp. 62–73, Jul. 2002.
Menage (P.),RACANE: A Resource Controlled Framework for Active Network Services, Proceedings of the First International Working Conference on Active Networks (IWAN ’99), 1653.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kashiwa, D., Chen, E.Y. & Fuji, H. A countermeasure againstDDOS attacks using active networks technologies. Ann. Télécommun. 58, 605–629 (2003). https://doi.org/10.1007/BF03001031
Issue Date:
DOI: https://doi.org/10.1007/BF03001031
Key words
- Computer security
- Internet
- Congestion control
- Active telecommunication network
- Distributed system
- Adaptive method
- Automatic classification