Scalable defense against Internet bandwidth flooding attacks.

摘要

During a distributed bandwidth-flooding attack, a large number of attack sources coordinate to send a high volume of undesired traffic to the victim with the purpose of exhausting its bandwidth. These attacks have proved difficult (sometimes impossible) to combat, as they require that action be taken before the victim's tail circuit. Current practice is typically restricted to the victim's administrator asking their ISP to manually install filters to block the attack, an approach increasingly insufficient as attacks become more sophisticated. The intuitive response is to automate this process, i.e., enable the victim to automatically compute undesired-traffic signatures and send filtering requests to its ISP. Yet, this approach faces significant challenges: Given the magnitude of currently witnessed attacks, it is unlikely that an ISP alone has enough resources to protect multiple attacked clients. Moreover, asking for help from other ISPs is complicated, in that it requires special inter-ISP relationships that do not exist today and raises security issues.; This dissertation presents Active Internet Traffic Filtering (AITF), an IP-layer defense mechanism against distributed bandwidth-flooding attacks that addresses these challenges. Three key points guide AITF design: An "attack source" is defined as an entity that has been asked to stop sending certain traffic and has been caught disobeying; this definition simplifies the task of the network and prevents misclassification of innocent hosts. Second, attack traffic is blocked at routers located close to the attack sources; this is key for the mechanism's scalability, as each network becomes responsible for blocking its own misbehaving clients. Finally, a network that hosts attack sources either cooperates and helps block attack traffic, or risks losing its access to the victim, which provides an incentive to cooperate.; We show that AITF preserves a significant percentage of the victim's bandwidth, while the per-client cost for each participating ISP is already affordable by today's ISPs and not expected to increase as the Internet grows. We also show that AITF can be incrementally deployed in the Internet without any special inter-ISP relationships. We conclude that the IP-layer of the Internet can provide an effective, scalable and deployable solution against distributed bandwidth-flooding attacks.