Skip to main content
SpringerLink
Log in

A countermeasure againstDDOS attacks using active networks technologies

Protection contre les attaques par saturation réparties au moyen de techniques de réseaux actifs

  • Published:
Annales Des Télécommunications Aims and scope Submit manuscript

Abstract

A Distributed Denial of Service (DDoCS) attack consumes the resources of a remote host or network by sending a massive amount ofIP packets from many distributed hosts. It is a pressing problem on the Internet as demonstrated by recent attacks on major e-commerce servers andISPs. Since the attack is distributed and the attack tools evolve at a rapid and alarming rate, an effective solution must be formulated using a distributed and adaptive approach. In this paper, we propose a countermeasure againstDDoCS attacks using a method we call Active Shaping. Our method employs the Active Networks technologies, which incorporates programmability into network nodes. The Active Networks technology enables us to deter congestion and bandwidth consumption of the backbone network caused byDDoCS attacks, and to prevent our system from dropping packets of legitimate users mistakenly. This paper introduces the concept of our method, system design and evaluates the effectiveness of our method using a prototype.

Resumé

Une attaque par saturation répartie consomme les ressources d’un hôte distant ou d’un réseau en envoyant un grand nombre de paquetsIP à partir de nombreux ordinateurs répartis. C’est un problème urgent sur l’Internet comme le montrent des attaques récentes contre des serveurs importants de commerce électronique et desFAI. Comme l’attaque est répartie et que les outils d’attaque évoluent rapidement et de façon alarmante, une solution efficace doit être formulée au moyen d’une approche répartie et adaptive. L’article propose une protection contre les attaques par saturation réparties qui utilise une méthode appelée régulation active. Cette méthode emploie des techniques de réseau actif où les nœuds du réseau sont programmables. Il est possible ainsi d’empêcher l’encombrement et la consommation de bande passante dans le réseau dorsal, dus aux attaques par saturation, et d’éviter l’élimination par erreur de paquets émis par les véritables utilisateurs. L’article introduit le principe de la méthode et la conception du système, puis évalue l’efficacité de la méthode au moyen d’un démonstrateur.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Hustion (G.), Internet Performance Survival Guide: QoS Strategies for Multiservice Networks,ISBN: 0-471-37808-9, Wiley Computer Publishing, 2000.

  2. Moore (D.),Voelker (G.),Savage (S.), Inferring Internet Denial-of-Service Activity,Proceedings of 2001 USENIX Security Symposium, pp. 9–22, Aug. 2001.

  3. Scambray (J.), Mcclure (S.), Kurts (G.), Hacking Exposed: Network Security Secrets & Solutions, Second Edition, ISBN: 0-07-212748-1,McGraw Hill, U.S.A., 2001.

    Google Scholar 

  4. Karnouskos (S.), Dealing with Denial-of-Service Attacks in Agent-enabled Active and Programmable Infrastructures,Proceedings of the 25th Annual International Computer Software and Applications Conference (COMPSAC’01), pp. 445–450, Oct. 2001.

  5. Kent (S.)And Atkinson (R.), Security Architecture for the Internet Protocol,RFC2401, Nov. 1998.

  6. Dierks (T.),Allen (C.), TheTLS Protocol Version 1.0,RFC2246, Jan. 1999.

  7. Ferguson (P.),Senie (D.), Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing,RFC2827, May 2000.

  8. Psounis (K.), Active Networks: Applications, Security, Safety, and Architectures,IEEE Communications Surveys, pp. 2–16, 1st Quarter 1999.

  9. Chen (E.),Fuji (H.), A Security Framework for Agent-Based Active Networks,Proceedings of M2USIC’2000, no 4–4, Petaling Jaya, Malaysia, Oct. 2000.

  10. Schwartz (B.),Jackson (A.),Strayer (T.),Zhou (W.),Patridge (C.),Rockwell (R.), Smart Packets for Active Networks, Proceedings ofIEEE OPENARCH’99, pp. 90–97, Mar. 1999.

  11. Wetherall (D.),Tennenhouse (D.), The ACTIVE_IP Option, 7thACM SIGOPS European Workshop, pp. 33–40, Sep. 1996.

  12. Wetherall (D.),Guttag (J.),Tennenhouse (D.),ANTS: A Toolkit for Building and Dynamically Deploying Network Protocols, Proceedings ofIEEE OPENARCH ’98, pp. 117–129, Apr. 1998.

  13. Decasper (D.),Plattner (B.), DAN: Distributed Code Cashing for Active Networks, Proceedings ofIEEE INFOCOM ’98, pp. 609–616, Apr. 1998.

  14. Gunter (C.), Nettles (S.), Smith (J.), The Switch Ware Active Network Architecture,IEEE Network Magazine,12, no 3., pp. 29–36, May/Jun. 1998.

    Article  Google Scholar 

  15. Silva (S.), Yemini (Y.), Florissi (D.), The NetScript Active Network System,IEEE Journal on Selected Areas in Communications,19, no 3, pp. 538–551, Mar. 2001.

    Article  Google Scholar 

  16. Kind (A.), The Role of Network Processors in Active Networks, Proceedings ofANTA 2002, pp. 51–56, Mar. 2002.

  17. Floyd (S.), Jacobson (V.), Link-sharing and Resource Management Models for Packet Networks,IEEE/ACM Transactions on Networking,3, no 4, pp. 365–386, Aug. 1995.

    Article  Google Scholar 

  18. Schnackenberg (D.),Djahandari (K.),Sterne (D.), Infrastructure for intrusion detection and response, Proceedings of theDARPA Information Survivability Conference and Exposition (DISCEX) pp. 1003–1011, Jan. 2000.

  19. Mahajan (R.) Bellovin (M. S.), Floyd (S.), Ioannidis (J.), Paxson (V.), Shenker (S.), Controlling High Bandwidth Aggregates in the Network”,SIGCOMM Computer Communication Review,32, no 3, pp. 62–73, Jul. 2002.

    Article  Google Scholar 

  20. Menage (P.),RACANE: A Resource Controlled Framework for Active Network Services, Proceedings of the First International Working Conference on Active Networks (IWAN ’99), 1653.

Download references

Author information

Authors and Affiliations

  1. NTT Information Sharing Platform Laboratories, 1-1, Hikarinooka, Yokosuka-shi, 239-0847, Kanagawa, Japan

    Dai Kashiwa, Eric Y. Chen & Hitoshi Fuji

  2. Faculty of Science and Technology, Keio University, 1-1, Hikarinooka, Yokosuka-shi, 239-0847, Kanagawa, Japan

    Dai Kashiwa

  3. The University of Tokyo, 1-1, Hikarinooka, Yokosuka-shi, 239-0847, Kanagawa, Japan

    Eric Y. Chen

Authors
  1. Dai Kashiwa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Y. Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hitoshi Fuji
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dai Kashiwa.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kashiwa, D., Chen, E.Y. & Fuji, H. A countermeasure againstDDOS attacks using active networks technologies. Ann. Télécommun. 58, 605–629 (2003). https://doi.org/10.1007/BF03001031

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF03001031

Key words

Mots clés

Search

Navigation