To filter or to authorize

Citations Over TimeTop 10% of 2008 papers

Abstract

This paper presents the design and implementation of a filter-based DoS defense system (StopIt) and a comparison study on the effectiveness of filters and capabilities. Central to the StopIt design is a novel closed-control, open-service architecture: any receiver can use StopIt to block the undesired traffic it receives, yet the design is robust to various strategic attacks from millions of bots, including filter exhaustion attacks and bandwidth flooding attacks that aim to disrupt the timely installation of filters. Our evaluation shows that StopIt can block the attack traffic from a few millions of attackers within tens of minutes with bounded router memory. We compare StopIt with existing filter-based and capability-based DoS defense systems under simulated DoS attacks of various types and scales. Our results show that StopIt outperforms existing filter-based systems, and can prevent legitimate communications from being disrupted by various DoS flooding attacks. It also outperforms capability-based systems in most attack scenarios, but a capability-based system is more effective in a type of attack that the attack traffic does not reach a victim, but congests a link shared by the victim. These results suggest that both filters and capabilities are highly effective DoS defense mechanisms, but neither is more effective than the other in all types of DoS attacks.

Related Papers

• → A Survey of DDoS Attacks Detection Schemes in SDN Environment(2023)7 cited
• → Review of modern DDoS-attacks, methods and means of counteraction(2017)18 cited
• → An Autonomous System for Predicting DDoS Attacks on Local Area Networks and the Internet(2023)3 cited
• DDOS’s attack and defense(2007)
• → A Review Paper on DDoS Detection Using Machine Learning(2023)