Abstract
DDoS (distributed denial of service) attacks have gradually increased and have become more sophisticated. There have been several methods for defending against these attacks. However, because the types and scales of DDoS attacks have been diversified, it has become important to defend against DDoS attacks not only in main networks, but also in small scale networks such as AS (autonomous system). We have designed a DDoS defense system working inside AS without either changing the network structure or modifying the router. For this purpose, we have applied the Shield mechanism, which deals with the location problem in DDoS defense, and utilizes the routing updates protocol called RIP (routing information protocol), a representative protocol of IGP (interior gateway protocol). Moreover, we have also conducted experiments by using simulations to find the optimal number and locations of deployed systems.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Klisne E, Afanasyev A, Reiher P (2011) Shield: dos filtering using traffic deflecting. In: Proc of the 19th IEEE international conference on network protocols (ICNP 2011), Vancouver, pp 37–42
Trustwave SpiderLabs (2011). The web hacking incident database semiannual report, July to December 2010. Technical report, Computer Science in Trustwave SpiderLabs
Garg K, Chawla R (2011) Detection of DDoS attacks using data mining. Int J Comput Bus Res 2(1)
Peng T, Lecke C, Ramanohanarao K (2007) Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput Surv 39(1)
Mirkovic J, Reiher P (2004) A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM SIGCOMM 34(2)
Klisne E, Beaumont-Gay M, Mirkovic J, Reiher P (2009) RAD: Reflector attack defense using message authentication codes. In: Proc of annual computer security applications conference (ASAC 2009), Honolulu. IEEE Press, New York, pp 269–278.
Zaroo P (2002) A survey of DDoS attacks and some DDoS defense mechanisms. Advanced Information Assurance (CS 626)
Ferguson P, Senie D (2000) Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. RFC 2267 technical report, The Internet Society
Burch H, Cheswick B (2000) Tracing anonymous packets to their approximate source. In: Proc of the USENIX large installation systems administration conference, New Orleans, pp 319–327
Savage S, Wetherall D, Karlin A, Anderson T (2000) Practical network support for IP traceback. Technical report, Department of Computer Science and Engineering, University of Washington
Kang H-S, Kim S-R (2012) Design and experiments of small DDoS defense system using traffic deflecting in autonomous system. In: Proc of 4th international workshop on managing insider security threats (MIST 2012, JISIS), vol 2, pp 43–53
Noureldien NA (2002) Protecting web servers from DoS/DDoS flooding attacks: a technical overview. In: Proc of International conference on web-management for international organisations, Geneva
Acknowledgements
This research was supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT, & Future Planning (2011-0029924). This research project was also supported by Ministry of Culture, Sports, and Tourism (MCST), and from the Korea Copyright Commission in 2013.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kang, HS., Kim, SR. sShield: small DDoS defense system using RIP-based traffic deflection in autonomous system. J Supercomput 67, 820–836 (2014). https://doi.org/10.1007/s11227-013-1031-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-013-1031-7