• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文期刊>IEEE Transactions on Parallel and Distributed Systems >Perimeter-based defense against high bandwidth DDoS attacks
【24h】

Perimeter-based defense against high bandwidth DDoS attacks

机译:基于边界的高带宽DDoS攻击防御

获取原文
获取原文并翻译 | 示例
           
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Distributed denial of service (DDoS) is a major threat to the availability of Internet services. The anonymity allowed by IP networking, together with the distributed, large scale nature of the Internet, makes DDoS attacks stealthy and difficult to counter. To make the problem worse, attack traffic is often indistinguishable from normal traffic. As various attack tools become widely available and require minimum knowledge to operate, automated antiDDoS systems become increasingly important. Many current solutions are either excessively expensive or require universal deployment across many administrative domains. This paper proposes two perimeter-based defense mechanisms for Internet service providers (ISPs) to provide the antiDDoS service to their customers. These mechanisms rely completely on the edge routers to cooperatively identify the flooding sources and establish rate-limit filters to block the attack traffic. The system does not require any support from routers outside or inside of the ISP, which not only makes it locally deployable, but also avoids the stress on the ISP core routers. We also study a new problem of perimeter-based IP traceback and provide three solutions. We demonstrate analytically and by simulations that the proposed defense mechanisms react quickly in blocking attack traffic while achieving high survival ratio for legitimate traffic. Even when 40 percent of all customer networks attack, the survival ratio for traffic from the other customer networks is still close to 100 percent.
机译:分布式拒绝服务(DDoS)是Internet服务可用性的主要威胁。 IP网络允许的匿名性以及Internet的分布式,大规模性质使DDoS攻击变得隐秘且难以应对。更糟的是,攻击流量通常与正常流量无法区分。随着各种攻击工具的广泛使用和对操作知识的最低要求,自动化的AntiDDoS系统变得越来越重要。当前许多解决方案要么成本过高,要么需要在许多管理域中进行通用部署。本文提出了两种基于边界的防御机制,供Internet服务提供商(ISP)向其客户提供antiDDoS服务。这些机制完全依靠边缘路由器来协同识别泛洪源并建立速率限制过滤器来阻止攻击流量。该系统不需要ISP外部或内部的路由器的任何支持,这不仅使其可以本地部署,而且还避免了ISP核心路由器的压力。我们还研究了基于边界的IP回溯的新问题,并提供了三种解决方案。通过分析和仿真,我们证明了所提出的防御机制在阻止攻击流量时会快速做出反应,同时为合法流量实现高生存率。即使所有客户网络中有40%受到攻击,来自其他客户网络的流量的生存率仍接近100%。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号