20-06-2012, 02:06 PM
Dodos Network Attack Recognition and Defense
Today's routers offer a best-effort service: they forward all traffic toward destinations, attempting to deliver fast and fair service to all flows. Policing, reliability, and rate-control mechanisms are therefore left to be deployed by higher layers at end hosts. This feature has been misused in distributed denial-of-service attacks, where many compromised hosts simultaneously generate excessive traffic to a victim. The number of received packets overwhelms the target, consuming its resources and rendering its services unavailable. Many attempts have been made to design systems that help identify attacking machines and stop malicious flows. Most of these systems are located on the target side (either at the victim host or somewhere in the target network), which facilitates easy detection of the problem and possible characterization of the attack signature. However, they are ineffective in stopping the attack because they require the cooperation of upstream routers to push back the attacking flows. Other proposed systems are located in the network between the attacking machines and the victim. These identify and throttle attacking flows, autonomously or acting on a signal from the victim. They require significant changes in core routers and still do not prevent malicious flows from using network resources.
We propose a system that is located at the source network router (either LAN or border router) that autonomously detects and suppresses Dodos flows originating at this network. This system observes the outgoing and incoming traffic and gathers lightweight statistics on the flows, classified by destination. These statistics, along with built-in traffic models, define legitimate traffic patterns. Any discrepancy between observed traffic and a legitimate traffic pattern for a given destination is considered to be the signal of a potential Dodos attack. The source router then decides to throttle all traffic to the suspected target of the attack and at the same time attempts to separate attacking flows from legitimate flows and identify the attacking machines. This approach has the benefit of preventing malicious flows from entering the network and consuming resources. As the part of our future work, we will investigate the possibility of also deploying this system on the core routers.