End to end defence against DDoS attacks
-
-
[1] University of St Andrews
University of St Andrews
Reino Unido
-
- Localización: Proceedings of the IADIS International Conference WWW/INTERNET 2004: Madrid, Spain, October 6-9, 2004 / coord. por Pedro Isaías, Nitya Karmakar, Vol. 1, 2004 (Full papers), ISBN 972-99353-0-0, págs. 325-333
- Idioma: inglés
- Texto completo no disponible (Saber más ...)
-
Resumen
Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks accounted for more losses than Internet financial fraud and viruses combined (CSI/FBI 2003). The Internet has been exposed as being particularly vulnerable to Denial of Service Attacks. This has stimulated research into DDoS and the consequent development of many techniques which aim to control them. This paper aims to contribute to this literature. An holistic approach to combating DDoS is proposed, which places particular stress on the importance of locating functionality in the most appropiate location and that source, intermediate and destination network elements co-operate together. It is argued that attack traffic is best stopped before it leaves its source network, that it is best detected and analysed at the target network and intermediate routers need precise information to allow them to control economically the DDoS traffic that escapes the source network. The design of a passive monitor that is able to use measurements of attack and regualr traffic to enable dynamic configuration of network elements is presented along with a detailed discussion of how such a monitor can be deployed to combat the common SYN flood attack. The extension of this approach to combat other forms of DDoS attack is also discussed.
