Source Router Approach Source Router Approach to DDoS Defense to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine, reiher}@cs.ucla.edu
Dec 23, 2015
Source Router Approach Source Router Approach to DDoS Defenseto DDoS Defense
Jelena Mirković and Peter ReiherUCLA
USENIX Work-In Progress SessionWashington DC, 08/17/2001
{sunshine, reiher}@cs.ucla.edu
Approach OverviewApproach Overview Goal: Prevent our site from participating
in DDoS attack Monitor incoming and outgoing traffic
looking for signs that some destination is in trouble
Reduce traffic to that destination Separate attacking from normal flows Shut down attacking machines
Approach OverviewApproach Overview
A
B
C
DE F G
I
J
H
A
B
C
DE F G
I
J
H
Approach OverviewApproach Overview
A
B
C
DE F G
I
J
H
Approach OverviewApproach Overview
A
B
C
DE F G
I
J
H
Approach OverviewApproach Overview
A
B
C
DE F G
I
J
H
Approach OverviewApproach Overview
Related Work - MULTOPSRelated Work - MULTOPS Yes, it is similar to MULTOPS, but:
It is located on source side only Traffic models do not rely only on packet
ratio Discovery of attacking machines Can be pushed further in the network
time
Stable Packet Ratio Stable Packet Ratio in Mixed Trafficin Mixed Trafficpa
cket
rat
io
time
pack
et r
atio
Stable Packet Ratio Stable Packet Ratio in TCP Trafficin TCP Traffic
time
pack
et r
atio
Stable Packet Ratio Stable Packet Ratio in UDP Trafficin UDP Traffic
time
pack
et r
atio
Stable Packet Ratio Stable Packet Ratio in UDP Trafficin UDP Traffic
time
pack
et r
atio
Variable Packet Ratio Variable Packet Ratio in Mixed Trafficin Mixed Traffic
DDoS + FTP
FTP
DDoS
time
pack
et r
atio
Variable Packet Ratio Variable Packet Ratio in Attack Trafficin Attack Traffic
ChallengesChallengesRouter performance.Why would ISP implement this?False positives.Multicast traffic is usually
unidirectional.Asymmetric routes. Throttling and
TCP congestion control mechanism.Traffic patterns in the Internet change
drastically over time.
For More Info...For More Info...
http://fmg-www.cs.ucla.edu/ddos