Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks

Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks

Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic that is not under direct attack can suffer significant collateral damage if the traffic passes through links that are commo...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE/ACM transactions on networking 2009-12, Vol.17 (6), p.1711-1723
Hauptverfasser: Chou, J.C.-Y., Lin, B., Sen, S., Spatscheck, O.
Format: Artikel
Sprache:eng
Schlagworte:
Bandwidth
Bandwidths
Computer crime
Computer networks
Computer science
Internet
Investments
network security
Reliability engineering
Spine
Surge protection
Telecommunication traffic
Unsolicited electronic mail
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 1723
container_issue 6
container_start_page 1711
container_title IEEE/ACM transactions on networking
container_volume 17
creator Chou, J.C.-Y.
Lin, B.
Sen, S.
Spatscheck, O.
description Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic that is not under direct attack can suffer significant collateral damage if the traffic passes through links that are common to attack routes. This paper presents a proactive surge protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. The approach aims to minimize collateral damage by providing bandwidth isolation between traffic flows. The proposed solution is readily deployable using existing router mechanisms and does not rely on any unauthenticated packet header information. Our extensive evaluation across two large commercial backbone networks, using both distributed and targeted attacks, shows that up to 95.5% of the network could suffer collateral damage, but our solution was able to significantly reduce the amount of collateral damage by up to 97.58% in terms of the number of packets dropped and 90.36% in terms of the number of flows with packet loss. Further, we show that PSP can maintain low packet loss rates even when the intensity of attacks is increased significantly.
doi_str_mv 10.1109/TNET.2009.2017199
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_861495631</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>5208213</ieee_id><sourcerecordid>2317910681</sourcerecordid><originalsourceid>FETCH-LOGICAL-c292t-95f2a40f929afff2797eb3785dcd2db6ddb732f63cf1ecc2c6e02ef1c34cf4c53</originalsourceid><addsrcrecordid>eNo9kEtPAjEUhRujiYj-AOOmcT_Y3k47U3eg-Ij4SMR1U9pbGZQZbAeN_94hEDf3lXPOTT5CTjkbcM70xfRpPB0AY7orvOBa75Eel7LMQCq1381MiUwpDYfkKKUFY1wwUD3y8BIb69rqG-nrOr4j7fYWu0NTX9IhvcaAdUL6iG5u6yotaWgiHdna_1S-nWcjm9DTYdta95GOyUGwnwlPdr1P3m7G06u7bPJ8e381nGQONLSZlgFszoIGbUMIUOgCZ6IopXce_Ex5PysEBCVc4OgcOIUMMHAnchdyJ0WfnG9zV7H5WmNqzaJZx7p7aUrFcy2V4J2Ib0UuNilFDGYVq6WNv4Yzs0FmNsjMBpnZIes8Z1tPhYj_egmsBC7EH3-jaBk</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>861495631</pqid></control><display><type>article</type><title>Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks</title><source>IEEE Electronic Library (IEL)</source><creator>Chou, J.C.-Y. ; Lin, B. ; Sen, S. ; Spatscheck, O.</creator><creatorcontrib>Chou, J.C.-Y. ; Lin, B. ; Sen, S. ; Spatscheck, O.</creatorcontrib><description>Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic that is not under direct attack can suffer significant collateral damage if the traffic passes through links that are common to attack routes. This paper presents a proactive surge protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. The approach aims to minimize collateral damage by providing bandwidth isolation between traffic flows. The proposed solution is readily deployable using existing router mechanisms and does not rely on any unauthenticated packet header information. Our extensive evaluation across two large commercial backbone networks, using both distributed and targeted attacks, shows that up to 95.5% of the network could suffer collateral damage, but our solution was able to significantly reduce the amount of collateral damage by up to 97.58% in terms of the number of packets dropped and 90.36% in terms of the number of flows with packet loss. Further, we show that PSP can maintain low packet loss rates even when the intensity of attacks is increased significantly.</description><identifier>ISSN: 1063-6692</identifier><identifier>EISSN: 1558-2566</identifier><identifier>DOI: 10.1109/TNET.2009.2017199</identifier><identifier>CODEN: IEANEP</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Bandwidth ; Bandwidths ; Computer crime ; Computer networks ; Computer science ; Internet ; Investments ; network security ; Reliability engineering ; Spine ; Surge protection ; Telecommunication traffic ; Unsolicited electronic mail</subject><ispartof>IEEE/ACM transactions on networking, 2009-12, Vol.17 (6), p.1711-1723</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2009</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c292t-95f2a40f929afff2797eb3785dcd2db6ddb732f63cf1ecc2c6e02ef1c34cf4c53</citedby><cites>FETCH-LOGICAL-c292t-95f2a40f929afff2797eb3785dcd2db6ddb732f63cf1ecc2c6e02ef1c34cf4c53</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/5208213$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,27901,27902,54733</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/5208213$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Chou, J.C.-Y.</creatorcontrib><creatorcontrib>Lin, B.</creatorcontrib><creatorcontrib>Sen, S.</creatorcontrib><creatorcontrib>Spatscheck, O.</creatorcontrib><title>Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks</title><title>IEEE/ACM transactions on networking</title><addtitle>TNET</addtitle><description>Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic that is not under direct attack can suffer significant collateral damage if the traffic passes through links that are common to attack routes. This paper presents a proactive surge protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. The approach aims to minimize collateral damage by providing bandwidth isolation between traffic flows. The proposed solution is readily deployable using existing router mechanisms and does not rely on any unauthenticated packet header information. Our extensive evaluation across two large commercial backbone networks, using both distributed and targeted attacks, shows that up to 95.5% of the network could suffer collateral damage, but our solution was able to significantly reduce the amount of collateral damage by up to 97.58% in terms of the number of packets dropped and 90.36% in terms of the number of flows with packet loss. Further, we show that PSP can maintain low packet loss rates even when the intensity of attacks is increased significantly.</description><subject>Bandwidth</subject><subject>Bandwidths</subject><subject>Computer crime</subject><subject>Computer networks</subject><subject>Computer science</subject><subject>Internet</subject><subject>Investments</subject><subject>network security</subject><subject>Reliability engineering</subject><subject>Spine</subject><subject>Surge protection</subject><subject>Telecommunication traffic</subject><subject>Unsolicited electronic mail</subject><issn>1063-6692</issn><issn>1558-2566</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2009</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kEtPAjEUhRujiYj-AOOmcT_Y3k47U3eg-Ij4SMR1U9pbGZQZbAeN_94hEDf3lXPOTT5CTjkbcM70xfRpPB0AY7orvOBa75Eel7LMQCq1381MiUwpDYfkKKUFY1wwUD3y8BIb69rqG-nrOr4j7fYWu0NTX9IhvcaAdUL6iG5u6yotaWgiHdna_1S-nWcjm9DTYdta95GOyUGwnwlPdr1P3m7G06u7bPJ8e381nGQONLSZlgFszoIGbUMIUOgCZ6IopXce_Ex5PysEBCVc4OgcOIUMMHAnchdyJ0WfnG9zV7H5WmNqzaJZx7p7aUrFcy2V4J2Ib0UuNilFDGYVq6WNv4Yzs0FmNsjMBpnZIes8Z1tPhYj_egmsBC7EH3-jaBk</recordid><startdate>200912</startdate><enddate>200912</enddate><creator>Chou, J.C.-Y.</creator><creator>Lin, B.</creator><creator>Sen, S.</creator><creator>Spatscheck, O.</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>200912</creationdate><title>Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks</title><author>Chou, J.C.-Y. ; Lin, B. ; Sen, S. ; Spatscheck, O.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c292t-95f2a40f929afff2797eb3785dcd2db6ddb732f63cf1ecc2c6e02ef1c34cf4c53</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2009</creationdate><topic>Bandwidth</topic><topic>Bandwidths</topic><topic>Computer crime</topic><topic>Computer networks</topic><topic>Computer science</topic><topic>Internet</topic><topic>Investments</topic><topic>network security</topic><topic>Reliability engineering</topic><topic>Spine</topic><topic>Surge protection</topic><topic>Telecommunication traffic</topic><topic>Unsolicited electronic mail</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Chou, J.C.-Y.</creatorcontrib><creatorcontrib>Lin, B.</creatorcontrib><creatorcontrib>Sen, S.</creatorcontrib><creatorcontrib>Spatscheck, O.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE/ACM transactions on networking</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Chou, J.C.-Y.</au><au>Lin, B.</au><au>Sen, S.</au><au>Spatscheck, O.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks</atitle><jtitle>IEEE/ACM transactions on networking</jtitle><stitle>TNET</stitle><date>2009-12</date><risdate>2009</risdate><volume>17</volume><issue>6</issue><spage>1711</spage><epage>1723</epage><pages>1711-1723</pages><issn>1063-6692</issn><eissn>1558-2566</eissn><coden>IEANEP</coden><abstract>Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic that is not under direct attack can suffer significant collateral damage if the traffic passes through links that are common to attack routes. This paper presents a proactive surge protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. The approach aims to minimize collateral damage by providing bandwidth isolation between traffic flows. The proposed solution is readily deployable using existing router mechanisms and does not rely on any unauthenticated packet header information. Our extensive evaluation across two large commercial backbone networks, using both distributed and targeted attacks, shows that up to 95.5% of the network could suffer collateral damage, but our solution was able to significantly reduce the amount of collateral damage by up to 97.58% in terms of the number of packets dropped and 90.36% in terms of the number of flows with packet loss. Further, we show that PSP can maintain low packet loss rates even when the intensity of attacks is increased significantly.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TNET.2009.2017199</doi><tpages>13</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1063-6692
ispartof IEEE/ACM transactions on networking, 2009-12, Vol.17 (6), p.1711-1723
issn 1063-6692
1558-2566
language eng
recordid cdi_proquest_journals_861495631
source IEEE Electronic Library (IEL)
subjects Bandwidth
Bandwidths
Computer crime
Computer networks
Computer science
Internet
Investments
network security
Reliability engineering
Spine
Surge protection
Telecommunication traffic
Unsolicited electronic mail
title Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-05T21%3A34%3A58IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Proactive%20Surge%20Protection:%20A%20Defense%20Mechanism%20for%20Bandwidth-Based%20Attacks&rft.jtitle=IEEE/ACM%20transactions%20on%20networking&rft.au=Chou,%20J.C.-Y.&rft.date=2009-12&rft.volume=17&rft.issue=6&rft.spage=1711&rft.epage=1723&rft.pages=1711-1723&rft.issn=1063-6692&rft.eissn=1558-2566&rft.coden=IEANEP&rft_id=info:doi/10.1109/TNET.2009.2017199&rft_dat=%3Cproquest_RIE%3E2317910681%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=861495631&rft_id=info:pmid/&rft_ieee_id=5208213&rfr_iscdi=true