Paper List:
1.R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, S. Shenker,
"Controlling High Bandwidth Aggregates in the Network"
2.D. Sterne, K. Djahandari, B. Wilson, B. Babson, D. Schnackenberg,
H. Holliday, T. Reid, "Automatic Response to Distributed Denial of
Service Attacks"
3.J. Ioannidis, S. Bellovin, "Implementing Pushback: Router-Based Defense
Against DDoS Attacks"
4.T. Gil, M. Poletto, "MULTOPS: a data-structure for bandwidth attack
detection"
Summary
Papers in this group focus on the technique to discover and react to the distributed deny-of-service (DDoS) attacks. DDoS attacks have been known in the research communities for a long time, but only become a focus in recent years. The DDoS attacks have been advanced recently by several public available attack tools. All these papers address the detections and responses in a very similar way, which includes 4 stages: detection, identification, response and termination.
In the detection stage, the system uses high packet loss rate as a clue for the DDoS detection. Because the response of DDoS is costly, typically systems wouldn't run the responses all the time but only triggered by the detection stage. Thus, only when the packet loss rate reaches a threshold, then defense system starts to react.
The response starts with the identification stage, which is mainly for locating the flows that is responsible for the high loss rate. The identification can rely on the statistics based on the dstination IP or some other classification methods. Some of them [1,2] propose and show that classification based on 24-bits prefix is very effective. The common identification of the major traffic is called congestion signature or attach signature.
Once the system finds the major traffic group, it enters the response
stage. In the response stage, the system can either filter these traffic
or rate limit them. The benefit of filtering is it can eliminate the further
damage that can be caused by the attack. The drawback is that it can also
block legitimate traffic if the identification is not very accurate. On
the other hand, the rate limiting is effective on reducing the impact of
attack and still letting normal users access there services. Another issue
related to the response is whether make a local control or cooperate with
other nodes and push the limit to the source.
To make cooperations between nodes, pushback protocols are designed
to coordinate routers, so that they can exchange congestion signature and
rate limting requirements.
After a response started, the next problem is when it terminates. There papers suggest that the termination can again based on the packet loss rate. A router can stop rate limiting or filter some flows when the packet loss rate is lower than a certain threshold. However, special care should be taken to not flooding down stream nodes after terminating filtering or rate limiting.
Slides
The slide can be access from here.