Skip to main content

To filter or to authorize: Network-layer DoS defense against multimillion-node botnets

Publication ,  Journal Article
Liu, X; Yang, X; Lu, Y
Published in: Computer Communication Review
December 1, 2008

This paper presents the design and implementation of a filter-based DoS defense system (StopIt) and a comparison study on the effectiveness of filters and capabilities. Central to the StopIt design is a novel closed-control, open-service architecture: any receiver can use StopIt to block the undesired traffic it receives, yet the design is robust to various strategic attacks from millions of bots, including filter exhaustion attacks and bandwidth flooding attacks that aim to disrupt the timely installation of filters. Our evaluation shows that StopIt can block the attack traffic from a few millions of attackers within tens of minutes with bounded router memory. We compare StopIt with existing filter-based and capability-based DoS defense systems under simulated DoS attacks of various types and scales. Our results show that StopIt outperforms existing filter-based systems, and can prevent legitimate communications from being disrupted by various DoS flooding attacks. It also outperforms capability-based systems in most attack scenarios, but a capability-based system is more effective in a type of attack that the attack traffic does not reach a victim, but congests a link shared by the victim. These results suggest that both filters and capabilities are highly effective DoS defense mechanisms, but neither is more effective than the other in all types of DoS attacks. Copyright 2008 ACM.

Duke Scholars

Published In

Computer Communication Review

DOI

EISSN

0146-4833

ISSN

0146-4833

Publication Date

December 1, 2008

Volume

38

Issue

4

Start / End Page

195 / 206

Related Subject Headings

  • Networking & Telecommunications
  • 4606 Distributed computing and systems software
  • 4006 Communications engineering
  • 1005 Communications Technologies
  • 0805 Distributed Computing
  • 0803 Computer Software
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Liu, X., Yang, X., & Lu, Y. (2008). To filter or to authorize: Network-layer DoS defense against multimillion-node botnets. Computer Communication Review, 38(4), 195–206. https://doi.org/10.1145/1402946.1402981
Liu, X., X. Yang, and Y. Lu. “To filter or to authorize: Network-layer DoS defense against multimillion-node botnets.” Computer Communication Review 38, no. 4 (December 1, 2008): 195–206. https://doi.org/10.1145/1402946.1402981.
Liu X, Yang X, Lu Y. To filter or to authorize: Network-layer DoS defense against multimillion-node botnets. Computer Communication Review. 2008 Dec 1;38(4):195–206.
Liu, X., et al. “To filter or to authorize: Network-layer DoS defense against multimillion-node botnets.” Computer Communication Review, vol. 38, no. 4, Dec. 2008, pp. 195–206. Scopus, doi:10.1145/1402946.1402981.
Liu X, Yang X, Lu Y. To filter or to authorize: Network-layer DoS defense against multimillion-node botnets. Computer Communication Review. 2008 Dec 1;38(4):195–206.

Published In

Computer Communication Review

DOI

EISSN

0146-4833

ISSN

0146-4833

Publication Date

December 1, 2008

Volume

38

Issue

4

Start / End Page

195 / 206

Related Subject Headings

  • Networking & Telecommunications
  • 4606 Distributed computing and systems software
  • 4006 Communications engineering
  • 1005 Communications Technologies
  • 0805 Distributed Computing
  • 0803 Computer Software