Name
Abstract | ||
|---|---|---|
Deploying defense mechanisms in routers holds promises for protecting infrastructure resources such as link bandwidth or router buffers against network denial-of-service (DoS) attacks. However, in spite of their efficacy against brute-force flooding attacks, existing router-based defenses often perform poorly when confronted to more sophisticated attack strategies. This paper presents the design and evaluation of a system aimed at identifying and containing a broad range of malicious traffic patterns. Its main feature is a double time horizon architecture, designed for effective regulation of attacking traffic at both short and long time scales. The short horizon component responds quickly to transient traffic surges that deviate significantly from regular (TCP) traffic, i.e., attackers that generate sporadic short bursts. Conversely, the long horizon mechanism enforces strict conformance with normal TCP behavior, but does so by considering traffic over longer time periods, and is therefore aimed at attackers that attempt to capture a significant amount of link bandwidth. The performance of the proposed system was tested extensively. Our findings suggest that the implementation cost of the system is reasonable, and that it is indeed efficient against various types of attacks while remaining transparent to normal TCP users |
Year | DOI | Venue |
|---|---|---|
2006 | 10.1109/SECCOMW.2006.359585 | SecureComm |
Keywords | Field | DocType |
telecommunication congestion control,tcp traffic,double horizon defense design,transport protocols,brute-force flooding attacks,router buffers,network denial-of-service attacks,telecommunication security,telecommunication traffic,telecommunication network routing,double time horizon architecture,robust malicious traffic regulation,link bandwidth,router-based defenses,denial of service,doubling time,dos attack,defense mechanism,network | Architecture,Denial-of-service attack,Computer science,Computer security,Horizon,Telecommunication security,Computer network,Bandwidth (signal processing),Router,Spite | Conference |
ISBN | Citations | PageRank |
1-4244-0423-1 | 2 | 0.39 |
References | Authors | |
0 | 2 | |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Ying Xu | 1 | 62 | 9.43 |
| Roch Guérin | 2 | 505 | 33.93 |