CFP last date
20 December 2024
Reseach Article

Resistance against Distributed Denial of Service Attacks (DDoS) Using Bandwidth Based Admission Control

by V.Shyamala Devi, R.S.D. Wahidabanu, K.Duraisway
journal cover thumbnail
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 1 - Number 19
Year of Publication: 2010
Authors: V.Shyamala Devi, R.S.D. Wahidabanu, K.Duraisway
10.5120/396-591

V.Shyamala Devi, R.S.D. Wahidabanu, K.Duraisway . Resistance against Distributed Denial of Service Attacks (DDoS) Using Bandwidth Based Admission Control. International Journal of Computer Applications. 1, 19 ( February 2010), 90-97. DOI=10.5120/396-591

@article{ 10.5120/396-591,
author = { V.Shyamala Devi, R.S.D. Wahidabanu, K.Duraisway },
title = { Resistance against Distributed Denial of Service Attacks (DDoS) Using Bandwidth Based Admission Control },
journal = { International Journal of Computer Applications },
issue_date = { February 2010 },
volume = { 1 },
number = { 19 },
month = { February },
year = { 2010 },
issn = { 0975-8887 },
pages = { 90-97 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume1/number19/396-591/ },
doi = { 10.5120/396-591 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T19:46:59.950299+05:30
%A V.Shyamala Devi
%A R.S.D. Wahidabanu
%A K.Duraisway
%T Resistance against Distributed Denial of Service Attacks (DDoS) Using Bandwidth Based Admission Control
%J International Journal of Computer Applications
%@ 0975-8887
%V 1
%N 19
%P 90-97
%D 2010
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Internet hosts are threatened by large-scale Distributed Denial of- Service (DDoS) attacks. The Path Identification DDoS defense scheme has recently been proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received. The previous work suggested depicts the Stack Path identification marking, a packet marking scheme based on path identification, and filtering mechanisms. To circumvent detection, attackers are increasingly moving from floods to attacks that mimic the behavior of a large number of clients, and target expensive higher-layer resources such as CPU, database and disk bandwidth. The resulting attacks are hard to defend against using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content. The proposal in this work improves our previous path identification scheme to protect network servers against DDoS attacks that masquerade the crowds. It provides rate filter authentication using verifiers different from other systems by using an intermediate stage to identify the IP addresses that ignore the verifier, and persistently bombard the server with requests despite repeated failures. Once these machines are identified, it blocks their requests, and allows access to legitimate users. It protects the authentication mechanism from being DDoS attacks and integrates filter authentication with bandwidth admission control. Rate limitation implies that a peer must reject or even drop some incoming requests.

References
  1. Micah Adler. Tradeoffs in Probabilistic Packet Marking for IP Traceback. In Proceedings of 34th ACM Symposium on Theory of Computing (STOC), pages 407 418, 2002.
  2. S. Bellovin, M. Leech, and T. Taylor. The ICMP Traceback Message. Internet-Draft, draft-ietf-itrace- 01.txt, October 2001. Work in progress, available at ftp://ftp.ietf.org/ internet-drafts/draft-ietf-itrace-01.txt.
  3. Hal Burch and Bill Cheswick. Tracing Anonymous Packets to Their Approximate Source. In Proceedings of Usenix LISA, pages 319–327, December 2000.
  4. Michael Collins and Michael K. Reiter. An Empirical Analysis of Target- Resident DoS Filters. In IEEE Symposium on Security and Privacy, May 2004.
  5. P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2267, January 1998.
  6. John Ioannidis and Steven M. Bellovin. Implementing Pushback: Router- Based Defense Against DDoS Attacks. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS 2002), San Diego, CA, February 2002.
  7. ICMP Traceback (itrace). IETF working group,http://www.ietf.
  8. K. Lakshminarayanan, D. Adkins, A. Perrig, and I. Stoica. Taming IP Packet Flooding Attacks. In Proceedings of ACM HotNets-II, pages 45–50, November 2003.
  9. Heejo Lee and Kihong Park. On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack. In Proceedings IEEE Infocomm 2001, April 2001.
  10. S. Machiraju, M. Seshadri, and I. Stoica. A Scalable and Robust Solution for Bandwidth Allocation. In International Workshop on QoS, May 2002.
  11. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. Controlling High Bandwidth Aggregates in the Network. CCR, 32(3):62–73, July 2002.
  12. A. Mankin, D. Massey, C.L. Wu, S.F. Wu, and L. Zhang. On Design and Evaluation of Intention Driven ICMP Traceback. In Proceedings of the IEEE International Conference on Computer Communications and Networks, October 2001.
  13. Kihong Park and Heejo Lee. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In ACM SIGCOMM ’01, pages 15–26, 2001.
Index Terms

Computer Science
Information Sciences

Keywords

DDoS IP spoofing ISP security Network Stack-based marking Rate Filter Bandwidth