Title : 
ALPi: A DDoS Defense System for High-Speed Networks
         
        
            Author : 
Ayres, Paulo E. ; Sun, Huizhong ; Chao, H. Jonathan ; Lau, Wing Cheong
         
        
            Author_Institution : 
Dept. of Electr. & Comput. Eng., Polytech. Univ. Brooklyn, NY
         
        
        
        
        
        
        
            Abstract : 
Distributed denial-of-service (DDoS) attacks pose a significant threat to the Internet. Most solutions proposed to-date face scalability problems as the size and speed of the network increase, with no widespread DDoS solution deployed in the industry. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attack packets from legitimate ones with the use of packet scoring (where the score of a packet is calculated based on attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold. In this paper, we propose ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and enhanced performance. More specifically, a leaky-bucket overflow control scheme simplifies the score computation, and facilitates high-speed implementation. An attribute-value-variation scoring scheme analyzes the deviations of the current traffic attribute values, and increases the accuracy of detecting and differentiating attacks. An enhanced control-theoretic packet discarding method allows both schemes to be more adaptive to challenging attacks such as those with ever-changing signatures and intensities. When combined together, the proposed extensions not only greatly reduce the memory requirement and implementation complexity but also substantially improve the accuracies in attack detection and packet differentiation. This makes ALPi an attractive DDoS defense system amenable for high-speed hardware implementation
         
        
            Keywords : 
Internet; packet switching; security of data; telecommunication congestion control; telecommunication security; ALPi; DDoS defense scheme; Internet; PacketScore; distributed denial-of-service attack; enhanced control-theoretic packet discarding method; high-speed network; leaky-bucket overflow control scheme; Chaos; Computer crime; Data mining; Filters; High-speed networks; IP networks; Protection; Protocols; Scalability; Sun; Denial-of-service (DoS) attack; network security; overload control; packet differentiation;
         
        
        
            Journal_Title : 
Selected Areas in Communications, IEEE Journal on
         
        
        
        
        
            DOI : 
10.1109/JSAC.2006.877136