During an Internet distributed denial-of-service (DDoS) attack, attackers pose asa superpower overloading bandwidth and services that otherwise would have beenlightly used by genuine users. These legitimate users send few packets and occasionallyback-off and fail while competing for resources. The Internet architectureprovides only modest support for verifying the true origin of a packet or intentionof a sender. This makes identification and filtering of attack traffic difficult.DDoS attacks could be limited greatly if there were a way to fairly distribute theresources among the parties despite limited origin integrity.In our work, we propose two methods for achieving fairness despite no orpartial implementation for integrity verification. Adaptive Selective Verification(ASV) provides legitimate clients service despite large but bounded attack rateswithout any integrity infrastructure. ASV can be implemented, without the cooperationof the core routers, by slight modification of the client and server applications.The other system is Integrity Based Queuing (IBQ). In this work, we expectthat integrity will not be perfect, but observe that even an imperfect implementationcan improve the effectiveness of queuing when parities with better a integritylevel are incentivized. ASV and IBQ together create a mechanism for incentives,infrastructure and independence for network service assurance.ASV is shown to be efficient in terms of bandwidth consumption using networksimulations. It differs from previously-investigated adaptive mechanismsfor bandwidth based payment by requiring very limited state on server. Our studyof IBQ includes proof of direct relationship of integrity to service, a networksimulation for comparative study, simulation with real attack traffic and securityanalysis.Our network assurance architecture provides a synergistic approach for defendingagainst DDoS attacks. With moderate infrastructure support, IBQ can be anarchitecture to provide graded source validation on the Internet. Clients that do nothave the support from the ISP, use their spare bandwidth with ASV for service.
展开▼
