Distributed divide-and-conquer techniques for effective DDoS attack defenses
Venue
IEEE International Conference on Distributed Computing Systems (ICDCS) (2008)
Publication Year
2008
Authors
Muthuprasanna Muthusrinivasan, Manimaran Govindarasu
BibTeX
Abstract
Distributed Denial-of-Service (DDoS) attacks have emerged as a popular means of
causing mass targeted service disruptions, often for extended periods of time. The
relative ease and low costs of launching such attacks, supplemented by the current
woeful state of any viable defense mechanism, have made them one of the top threats
to the Internet community today. While distributed packet logging and/or packet
marking have been explored in the past for DDoS attack traceback/mitigation, we
propose to advance the state of the art by using a novel distributed
divide-and-conquer approach in designing a new data dissemination architecture that
efficiently tracks attack sources. The main focus of our work is to tackle the
three disjoint aspects of the problem, namely attack tree construction, attack path
frequency detection, and packet to path association, independently and to use
succinct recurrence relations to express their individual implementations. We also
evaluate the network traffic and storage overhead induced by our proposed
deployment on real-life Internet topologies, supporting hundreds of victims each
subject to thousands of high-bandwidth flows simultaneously, and conclude that we
can truly achieve single packet traceback guarantees with minimal overhead and high
efficiency.
