TY - GEN
T1 - RateGuard
T2 - 2009 IEEE Global Telecommunications Conference, GLOBECOM 2009
AU - Sun, Huizhong
AU - Ngan, Wingchiu
AU - Chao, H. Jonathan
PY - 2009
Y1 - 2009
N2 - One of the major threats to cyber security is the Distributed Denial-of-Service (DDoS) attack. In this paper, we focus on three kinds of sophisticated DDoS attacks that seriously cripple the current DDoS defense systems and have not been solved yet. In Fast Adaptive Attacks (FAAs), attackers adaptively generate attacking traffic based on the feedback from a victim in Round Trip Time (RTT). Almost all proposed rules-based filtering schemes cannot effectively defend against FAAs, since they need a relatively long time (compared to RTT) to update filtering rules. In Adaptive Attacks with statistical filtering rules Scanning (AAS), attackers circumvent the defense system by discovering the statistical filtering rules of the defense system and then generating flooding traffic to mimic nominal traffic. In Low-Rate TCP Attacks (LRAs), attackers send periodic attack pulses to overflow a router's buffer and force the legitimate TCP flow to a low throughput while staying under the radar with a very low average rate. In this paper, we propose a Leaky-Bucket (LB) based highly robust DDoS defense system, called RateGuard. It can react to FAAs and LRAs by rate-limiting excessive traffic in real-time according to the victim's nominal traffic profile. Moreover, by associating an LB with each joint attribute value, the huge space required for possible joint attribute values makes it almost impossible for attackers to scan the victim's nominal traffic profiles and, thus, makes it highly robust to cope with AAS and other sophisticated attacks.
AB - One of the major threats to cyber security is the Distributed Denial-of-Service (DDoS) attack. In this paper, we focus on three kinds of sophisticated DDoS attacks that seriously cripple the current DDoS defense systems and have not been solved yet. In Fast Adaptive Attacks (FAAs), attackers adaptively generate attacking traffic based on the feedback from a victim in Round Trip Time (RTT). Almost all proposed rules-based filtering schemes cannot effectively defend against FAAs, since they need a relatively long time (compared to RTT) to update filtering rules. In Adaptive Attacks with statistical filtering rules Scanning (AAS), attackers circumvent the defense system by discovering the statistical filtering rules of the defense system and then generating flooding traffic to mimic nominal traffic. In Low-Rate TCP Attacks (LRAs), attackers send periodic attack pulses to overflow a router's buffer and force the legitimate TCP flow to a low throughput while staying under the radar with a very low average rate. In this paper, we propose a Leaky-Bucket (LB) based highly robust DDoS defense system, called RateGuard. It can react to FAAs and LRAs by rate-limiting excessive traffic in real-time according to the victim's nominal traffic profile. Moreover, by associating an LB with each joint attribute value, the huge space required for possible joint attribute values makes it almost impossible for attackers to scan the victim's nominal traffic profiles and, thus, makes it highly robust to cope with AAS and other sophisticated attacks.
KW - Distributed denial-of-service attack
KW - Fast adaptive attacks
KW - Low-rate TCP attacks
KW - Statistical filtering rules
UR - http://www.scopus.com/inward/record.url?scp=77951573795&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77951573795&partnerID=8YFLogxK
U2 - 10.1109/GLOCOM.2009.5425941
DO - 10.1109/GLOCOM.2009.5425941
M3 - Conference contribution
AN - SCOPUS:77951573795
SN - 9781424441488
T3 - GLOBECOM - IEEE Global Telecommunications Conference
BT - GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference
Y2 - 30 November 2009 through 4 December 2009
ER -