Title :
DDoS Defense Deployment with Network Egress and Ingress Filtering
Author :
Du, Ping ; Nakao, Akihiro
Author_Institution :
NiCT, Tokyo, Japan
Abstract :
In this paper, we propose a DDoS defense architecture, named NEIF (Network Egress and Ingress Filtering), which is deployed at the Internet Service Provider´s (ISP) edge routers to prohibit DDoS attacks into and from the ISPs´ networks. The main challenge is how to implement NEIF with a small fixed amount of memory and low implementation complexity so that it may be acceptable by ISPs. We first design a bloom filter based data structure to identify and measure a few relatively large flows instead of all flows, where the amount of required memory is independent of link speeds and the number of flows. Then, the relatively large flows are rate-limited to their fair share based on the packet symmetry-the ratio of received and transmitted packets of a host. The dropping decisions of each flow are made on the observed counters directly that are with low implementation complexity. Finally, we implement NEIF with Click and perform experiments on PlanetLab. The experimental results validate our analysis and show that the Internet can benefit from NEIF even under partial deployment.
Keywords :
Internet; filtering theory; security of data; telecommunication network routing; telecommunication security; DDoS attacks; DDoS defense deployment; Internet service provider edge routers; PlanetLab; bloom filter; data structure; dropping decisions; ingress filtering; network egress; packet symmetry; Communications Society; Computer crime; Counting circuits; Data structures; Information filtering; Information filters; Internet; Service oriented architecture; Traffic control; Velocity measurement;
Conference_Titel :
Communications (ICC), 2010 IEEE International Conference on
Conference_Location :
Cape Town
Print_ISBN :
978-1-4244-6402-9
DOI :
10.1109/ICC.2010.5502654
