Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detecti...Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detection and filtering engine together to protect Web Servers from DDoS Attacks. The mechanism can detect DDoS attacks by inspecting inbound packets with an IP address database, and filter out lower priority IP addresses to preserve the connection for valid users by monitoring the queues status. We use the Netfilter's technique, a framework inside the Linux 2.4. X, to implement it on a Web server. Also, we evaluate this mechanism and analyze the influence of some important parameters on system performance. The experimental results show that this mechanism is effective against DDoS attacks.展开更多
The filter-based reactive packet filtering is a key technology in attack traffic filtering for defending against the Denial-of- Service (DOS) attacks. Two kinds of relevant schemes have been proposed as victim- end ...The filter-based reactive packet filtering is a key technology in attack traffic filtering for defending against the Denial-of- Service (DOS) attacks. Two kinds of relevant schemes have been proposed as victim- end filtering and source-end filtering. The first scheme prevents attack traffic from reaching the victim, but causes the huge loss of legitimate flows due to the scarce filters (termed as collateral damages); the other extreme scheme can obtain the sufficient filters, but severely degrades the network transmission performance due to the abused filtering routers. In this paper, we propose a router based packet filtering scheme, which provides relatively more filters while reducing the quantity of filtering touters. We implement this scheme on the emulated DoS scenarios based on the synthetic and real-world Internet topologies. Our evaluation results show that compared to the previous work, our scheme just uses 20% of its filtering routers, but only increasing less than 15 percent of its collateral damage.展开更多
基金Supported by the National Natural Science Foun-dation of China (60373075 ,60473055)
文摘Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detection and filtering engine together to protect Web Servers from DDoS Attacks. The mechanism can detect DDoS attacks by inspecting inbound packets with an IP address database, and filter out lower priority IP addresses to preserve the connection for valid users by monitoring the queues status. We use the Netfilter's technique, a framework inside the Linux 2.4. X, to implement it on a Web server. Also, we evaluate this mechanism and analyze the influence of some important parameters on system performance. The experimental results show that this mechanism is effective against DDoS attacks.
基金supported in part by the funding agencies of china:the Doctoral Fund of Northeastern University of Qinhuangdao(Grant No.XNB201410)the Fundamental Research Funds for the Central Universities(Grant No.N130323005)
文摘The filter-based reactive packet filtering is a key technology in attack traffic filtering for defending against the Denial-of- Service (DOS) attacks. Two kinds of relevant schemes have been proposed as victim- end filtering and source-end filtering. The first scheme prevents attack traffic from reaching the victim, but causes the huge loss of legitimate flows due to the scarce filters (termed as collateral damages); the other extreme scheme can obtain the sufficient filters, but severely degrades the network transmission performance due to the abused filtering routers. In this paper, we propose a router based packet filtering scheme, which provides relatively more filters while reducing the quantity of filtering touters. We implement this scheme on the emulated DoS scenarios based on the synthetic and real-world Internet topologies. Our evaluation results show that compared to the previous work, our scheme just uses 20% of its filtering routers, but only increasing less than 15 percent of its collateral damage.