By Topic

A Control Theoretical Approach for Flow Control to Mitigate Bandwidth Attacks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)

Flooding-based distributed denial-of-service (DoS) attack presents a very serious threat to the stability of the Internet. However, current intrusion detection is unreliable and may have high false-positives. Rate-limiting is a better-suited response than complete filtering. Filtering out all the traffic to the victim would greatly damage misclassified flows, whereas rate-limiting still allows some packets to reach the destination and thus keeps connection alive. Allowing some attack packets through is acceptable, since the attack's overall impact depends on the volume of the attack packets. Moreover, if the flow-rate of low-priority is reduced, the high-priority flow would get more chances to access the server they share, which eventually reduce the congestion and improve the throughput of the high-priority flow. Based on tie concept of flow aggregation management architecture (Sui Song, et al., April 2006), we present a flow-based congestion control (FCC) architecture that consists of a flow-based quality-of-service (FQoS) regulator and PID controller. The whole system adopts a control-theoretic approach to adjust the traffic rate of every link (or server) so as to maintain the traffic rates at their desired level. In order to provide more fine-grained differentiated services (or flows) with different weight and maximally limit malicious services (or flows), we propose multilevel packet classification structure. Moreover, in order maximally to block flooding, the flow-based network intrusion detection (Sui Song, et al., April 2006) is used to classify each flow in the network into different priority classes and give different treatment to the flow-rates belonging to different classes. The architecture is shown to be highly flexible service differentiation and robust against different types of flooding attacks, and traditional network traffic control can be implemented using one common framework. This system has been evaluated by using simulated test-bed data. Res- - ults showed the success that the system mitigates bandwidth flooding attacks

Published in:

Information Assurance Workshop, 2006 IEEE

Date of Conference:

21-23 June 2006