By Topic

Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Chou, J.C.-Y. ; Dept. of Comput. Sci., Univ. of California, San Diego, La Jolla, CA, USA ; Bill Lin ; Sen, S. ; Spatscheck, O.

Large-scale bandwidth-based distributed denial-of-service (DDoS) attacks can quickly knock out substantial parts of a network before reactive defenses can respond. Even traffic that is not under direct attack can suffer significant collateral damage if the traffic passes through links that are common to attack routes. This paper presents a proactive surge protection (PSP) mechanism that aims to provide a broad first line of defense against DDoS attacks. The approach aims to minimize collateral damage by providing bandwidth isolation between traffic flows. The proposed solution is readily deployable using existing router mechanisms and does not rely on any unauthenticated packet header information. Our extensive evaluation across two large commercial backbone networks, using both distributed and targeted attacks, shows that up to 95.5% of the network could suffer collateral damage, but our solution was able to significantly reduce the amount of collateral damage by up to 97.58% in terms of the number of packets dropped and 90.36% in terms of the number of flows with packet loss. Further, we show that PSP can maintain low packet loss rates even when the intensity of attacks is increased significantly.

Published in:

Networking, IEEE/ACM Transactions on  (Volume:17 ,  Issue: 6 )