TY - JOUR
T1 - ALPi
T2 - A DDoS defense system for high-speed networks
AU - Ayres, Paulo E.
AU - Sun, Huizhong
AU - Chao, H. Jonathan
AU - Lau, Wing Cheong
N1 - Funding Information:
Manuscript received September 20, 2005; revised April 11, 2006. The work of H. J. Chao was supported in part by New York State, NYSTAR. The work of W. C. Lau was supported in part by the Chinese University of Hong Kong under RGC/CUHK Direct Grant 2050368.
PY - 2006/10
Y1 - 2006/10
N2 - Distributed denial-of-service (DDoS) attacks pose a significant threat to the Internet. Most solutions proposed to-date face scalability problems as the size and speed of the network increase, with no widespread DDoS solution deployed in the industry. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attack packets from legitimate ones with the use of packet scoring (where the score of a packet is calculated based on attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold. In this paper, we propose ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and enhanced performance. More specifically, a leaky-bucket overflow control scheme simplifies the score computation, and facilitates high-speed implementation. An attribute-value-variation scoring scheme analyzes the deviations of the current traffic attribute values, and increases the accuracy of detecting and differentiating attacks. An enhanced control-theoretic packet discarding method allows both schemes to be more adaptive to challenging attacks such as those with ever-changing signatures and intensities. When combined together, the proposed extensions not only greatly reduce the memory requirement and implementation complexity but also substantially improve the accuracies in attack detection and packet differentiation. This makes ALPi an attractive DDoS defense system amenable for high-speed hardware implementation.
AB - Distributed denial-of-service (DDoS) attacks pose a significant threat to the Internet. Most solutions proposed to-date face scalability problems as the size and speed of the network increase, with no widespread DDoS solution deployed in the industry. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attack packets from legitimate ones with the use of packet scoring (where the score of a packet is calculated based on attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold. In this paper, we propose ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and enhanced performance. More specifically, a leaky-bucket overflow control scheme simplifies the score computation, and facilitates high-speed implementation. An attribute-value-variation scoring scheme analyzes the deviations of the current traffic attribute values, and increases the accuracy of detecting and differentiating attacks. An enhanced control-theoretic packet discarding method allows both schemes to be more adaptive to challenging attacks such as those with ever-changing signatures and intensities. When combined together, the proposed extensions not only greatly reduce the memory requirement and implementation complexity but also substantially improve the accuracies in attack detection and packet differentiation. This makes ALPi an attractive DDoS defense system amenable for high-speed hardware implementation.
KW - Denial-of-service (DoS) attack
KW - Network security
KW - Overload control
KW - Packet differentiation
UR - http://www.scopus.com/inward/record.url?scp=33749824252&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33749824252&partnerID=8YFLogxK
U2 - 10.1109/JSAC.2006.877136
DO - 10.1109/JSAC.2006.877136
M3 - Article
AN - SCOPUS:33749824252
SN - 0733-8716
VL - 24
SP - 1864
EP - 1875
JO - IEEE Journal on Selected Areas in Communications
JF - IEEE Journal on Selected Areas in Communications
IS - 10
M1 - 1705618
ER -