CFP last date
20 January 2025
Reseach Article

A Comparative Study on Capability v/s. Filtering based Defense Mechanisms

by Shubha Mishra, R. K. Pateriya
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 93 - Number 11
Year of Publication: 2014
Authors: Shubha Mishra, R. K. Pateriya
10.5120/16261-5922

Shubha Mishra, R. K. Pateriya . A Comparative Study on Capability v/s. Filtering based Defense Mechanisms. International Journal of Computer Applications. 93, 11 ( May 2014), 29-35. DOI=10.5120/16261-5922

@article{ 10.5120/16261-5922,
author = { Shubha Mishra, R. K. Pateriya },
title = { A Comparative Study on Capability v/s. Filtering based Defense Mechanisms },
journal = { International Journal of Computer Applications },
issue_date = { May 2014 },
volume = { 93 },
number = { 11 },
month = { May },
year = { 2014 },
issn = { 0975-8887 },
pages = { 29-35 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume93/number11/16261-5922/ },
doi = { 10.5120/16261-5922 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T22:14:36.158767+05:30
%A Shubha Mishra
%A R. K. Pateriya
%T A Comparative Study on Capability v/s. Filtering based Defense Mechanisms
%J International Journal of Computer Applications
%@ 0975-8887
%V 93
%N 11
%P 29-35
%D 2014
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Denial-of-Service and Distributed Denial-of-Service attacks have been the attack forms with maximum impact on their victims since their origin. The intensity of DDoS attacks is high as the attacker's identity and attack source is safeguarded well behind the bots. Numerous defense mechanisms have been employed to provide robustness against them. In this work, we aim to perform an in-depth study of a few filtering and capability based mechanisms. The advantages and limitations of each along with their architecture and operational services have been discussed in detail. A comparative analysis of their performances with their employment feasibility on the two scales (large or small) had been described as well. The goal of this work is to ease the selection of most robust techniques from these two classifications (filtering and capability based).

References
  1. History of the Internet, [online] http://en. wikipedia. org/wiki/History_of_the_Internet.
  2. P. J. Criscuolo, Distributed Denial of Service, Tribe Flood Network 2000, and Stacheldraht CIAC-2319, Department of Energy Computer Incident Advisory Capability (CIAC), UCRL-ID-136939, Rev. 1. , Lawrence Livermore National Laboratory, February 14, 2000.
  3. X. Yang, D. Wetherall, and T. Anderson, TVA: a DoS-limiting network architecture, IEEE/ACM Trans. Netw. , vol. 16, no. 6, pp. 1267-1280, 2008.
  4. Xin Liu, Xiaowei Yang and Yanbin Lu, "To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets", ACM SIGCOMM'08, August 17–22, 2008, Seattle, Washington, USA.
  5. B. Parno, D. Wendlandt, E. Shi, A. Perrig, B. Maggs, and Y. -C. Hu, "Portcullis:Protecting Connection Setup from Denial-of-Capability Attacks. " In ACM SIGCOMM, 2007.
  6. K. Argyraki and D. R. Cheriton, Scalable network-layer defense against internet bandwidth-flooding attacks, IEEE/ACM Transaction Netw. , 17(4), pp. 1284-1297, August 2009.
  7. A. Yaar, A. Perrig, and D. Song, SIFF: a Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, in Proc. 2004 IEEE Symposium on Security and Privacy, pp. 130-143, May 2004.
  8. X. Yang, "NIRA: A new internet routing architecture", Proc. ACM SIGCOMM Workshop on Future Directions in Network Architecture (FDNA), Karlsruhe, Germany, Aug. 2003.
  9. K. Argyraki and D. R. Cheriton, "Loose source routing as a mechanism for traffic policies", Proc. ACM SIGCOMM Workshop on Future Directions in Network Architecture (FDNA), Portland, OR, Aug. 2004.
  10. R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, Controlling high bandwidth aggregates in the network, presented at Computer Communication Review, pp. 62-73, 2002.
  11. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker, "Controlling high bandwidth aggregates in the network", Submitted to ACM SIGCOMM 2001.
  12. John Ioannidis and Steven M. Bellovin, "Implementing Pushback: Router-Based Defense Against DDoS Attacks", in Proc. of Network and Distributed System Security Symposium, 2002.
  13. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker, Controlling high bandwidth aggregates in the network – extended version. [online] http://www. aciri. org/pushback/.
  14. Criscuolo, P. J. (2000) Distributed Denial of Service Trinoo, Tribe Flood Network, Tribe Flood Network 2000, and Stacheld-raht, CIAC-2319, Department of Energy Computer Incident Advisory (CIAC). Rev. 1 UCRL-ID-136939.
  15. Dietrich, S. , Long, N. , and Dittrich, D. (2000), Analyzing distributed denial of service tools: The shaft case. Proceedings of the 14th USENIX conference on System administration, New Orleans, Louisiana, USA, 3-8 December, pp. 329–340. USENIX Association.
  16. Hancock, B. (2000), Trinity v3: A DDoS tool hits the streets. Computers & Security, 19, 574.
  17. Batishchev, A. M. (2004), " LOIC(Low Orbit Ion Cannon)", [online] http://sourceforge. net/projects/loic/.
  18. T. Peng, C. Leckie, and K. Ramamohanarao, Survey of network-based defense mechanisms countering the DoS and DDoS problems, ACM Comput. Survey 39, 1, Article 3, April 2007.
  19. C. Douligeris, and A. Mitrokotsa, DDoS attacks and defense mechanisms: classification and state-of-the-art, Computer Networks, Vol. 44, No. 5, pp. 643-666, April 2004.
  20. P. Ferguson, and D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks that employ IP source address spoofing, Internet RFC 2827, 2000.
  21. ha. ckers. org, Slowloris HTTP DoS, Retrieved Oct. 19, 2012, [online] http://ha. ckers. org/slowloris/
  22. K. J. Higgins, Researchers To Demonstrate New Attack That Exploits HTTP, Nov. 01, 2010, [online] http://www. darkreading. com/vulnerabilitymanagement/167901026/security/attacks-breaches/228000532/index. html
  23. Egress Filtering, [online] http: // en. wikipedia. org/wiki/Egress_Filtering.
  24. X. Yang, D. Wetherall, and T. Anderson, A DoS-limiting Architecture, ACM SIGCOMM, Philadelphia, PA, USA, August 2005.
  25. CISCO, "Remotely triggered black-hole filtering- destination based and source based", [online] http://www. cisco. com/c/dam/en/us/products/collateral/security/ios-network-foundation-protection nfp/prod_white_paper0900aecd80313fac. pdf
  26. Black-hole filtering, [online] http://en. wikipedia. org/wiki/Black_hole (networking)
  27. IETF, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, May 2000, [online] https://tools. ietf. org/html/rfc2827.
  28. IETF, Ingress Filtering for Multihomed Networks, March 2004, [online] https://tools. ietf. org/html/rfc3704.
  29. Liu, X. , Li, A. , Yang, X. , and Wetherall, D. 2008, " Passport: secure and adoptable source Authentication", In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. NSDI'08. USENIX Association, Berkeley, CA, USA, 365-378.
  30. X. Yang, A DoS Limiting Network Architecture, [online] http://www. cs. duke. edu/nds/ddos/
Index Terms

Computer Science
Information Sciences

Keywords

DoS DDoS filtering and capability-based mechanisms attack traffic and legitimate traffic.