期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

A Router Based Packet Filtering Scheme for Defending Against DoS Attacks 被引量:1

A Router Based Packet Filtering Scheme for Defending Against DoS Attacks
在线阅读 下载PDF
导出
摘要 The filter-based reactive packet filtering is a key technology in attack traffic filtering for defending against the Denial-of- Service (DOS) attacks. Two kinds of relevant schemes have been proposed as victim- end filtering and source-end filtering. The first scheme prevents attack traffic from reaching the victim, but causes the huge loss of legitimate flows due to the scarce filters (termed as collateral damages); the other extreme scheme can obtain the sufficient filters, but severely degrades the network transmission performance due to the abused filtering routers. In this paper, we propose a router based packet filtering scheme, which provides relatively more filters while reducing the quantity of filtering touters. We implement this scheme on the emulated DoS scenarios based on the synthetic and real-world Internet topologies. Our evaluation results show that compared to the previous work, our scheme just uses 20% of its filtering routers, but only increasing less than 15 percent of its collateral damage. The filter-based reactive packet filtering is a key technology in attack traffic filtering for defending against the Denial-ofService(DoS) attacks.Two kinds of relevant schemes have been proposed as victimend filtering and source-end filtering.The first scheme prevents attack traffic from reaching the victim,but causes the huge loss of legitimate flows due to the scarce filters(termed as collateral damages);the other extreme scheme can obtain the sufficient filters,but severely degrades the network transmission performance due to the abused filtering routers.In this paper,we propose a router based packet filtering scheme,which provides relatively more filters while reducing the quantity of filtering routers.We implement this scheme on the emulated DoS scenarios based on the synthetic and real-world Internet topologies.Our evaluation results show that compared to the previous work,our scheme just uses 20%of its filtering routers,but only increasing less than 15 percent of its collateral damage.
作者 LU Ning SU Sen JING Maohua HAN Jian
机构地区 School of Computer and Communication Engineering State Key Laboratory of Networking and Switching Technology
出处 《China Communications》 SCIE CSCD 2014年第10期136-146,共11页 中国通信(英文版)
基金 supported in part by the funding agencies of china:the Doctoral Fund of Northeastern University of Qinhuangdao(Grant No.XNB201410) the Fundamental Research Funds for the Central Universities(Grant No.N130323005)
关键词 Internet security DoS attacks filter-based reactive packet filtering DoS攻击 过滤路由器 包过滤 过滤器 拒绝服务 网络传输 结构仿真 网络拓扑
分类号 TP393.08 [自动化与计算机技术—计算机应用技术] TQ051.85 [化学工程]
  • 相关文献

参考文献29

  • 1NSFOCUS, "NSFOCUS Mid-Year DDoS Threat Report 2013," URL:http://en.nsfocus.com/Secu- rityReport/2013%20NSFOCUS%20Mid-Year%20 DDoS%20Threat%20Report.pdf.
  • 2A. Yaar and A. Perrig, "Pi: a path identification mechanism to defend against DDoS attacks," in Proceeding of Security and Privacy, 2003, pp. 93-107.
  • 3A. Yaar and A. Perrig, "StackPi: new packet marking and filtering mechanisms for DDoS and lP spoofing defense," IEEE Journal on Se- lected Areas in Communication, Vol. 24, 2006, pp.1853-1863.
  • 4K. Argyraki and Cheriton. R.D, "Scalable net work-layer defense against internet band- width-flooding attacks," IEEE/ACM Transactions on Networking, Vol. 17, 2009, pp. 1284-1297.
  • 5D. Seo, H. Lee and A. Perig, "P'FS: probability fil- ter scheduling against distributed denial-of-ser- vice attacks," in Proceeding of Local Computer Networks, 2011, pp.9-17.
  • 6X. Liu, X. Yand and Y. Lu, "To filter or to autho- rize: network-layer DoS defense against multi- million-node botnets," ACM SIGCOMM Com- puter Communication Re-view, Vol. 38, 2008, pp.195-206.
  • 7M.S Fallah and N. Kahani, "TDPF: a trace back-based distributed packet filter to mitigate spoofed DDoS attacks," Security and Communi- cation Networks, 2013(DO1: 10.1002/sec.725).
  • 8H. Beitollahi and G. Deconinck, ';Analyzing well- known countermeasures against distributed denial of service attacks," Computer Communi- cations, Vol. 35, 2012, pp. 1312-1332.
  • 9D. Newman, "Cisco Catalyst 4948-10GE aces performance tests," URL: http://www.network- world.com/reviews/2005/090S05-cisco- test. html?page=1.
  • 10Bellovin S, Leech M, Taylor I-. Jcmp traceback messages. [nternet Draft,draft-ietf-itrace-04. txt 2003.

同被引文献6

引证文献1

二级引证文献19

China Communications
2014年 第10期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部