Home > Research > Publications & Outputs > An Inter-domain Collaboration Scheme to Remedy ...

Electronic data

  • 08344498

    Rights statement: ©2018 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

    Accepted author manuscript, 1.39 MB, PDF document

    Available under license: CC BY

Links

Text available via DOI:

View graph of relations

An Inter-domain Collaboration Scheme to Remedy DDoS Attacks in Computer Networks

Research output: Contribution to journalJournal articlepeer-review

Published

Standard

An Inter-domain Collaboration Scheme to Remedy DDoS Attacks in Computer Networks. / Simpson, Steven; Shirazi, Syed Noorulhassan ; Marnerides, Angelos; Jouet, Simon; Pezaros, Dimitrios; Hutchison, David.

In: IEEE Transactions on Network and Service Management, Vol. 15, No. 3, 01.09.2018, p. 879-893.

Research output: Contribution to journalJournal articlepeer-review

Harvard

APA

Vancouver

Author

Simpson, Steven ; Shirazi, Syed Noorulhassan ; Marnerides, Angelos ; Jouet, Simon ; Pezaros, Dimitrios ; Hutchison, David. / An Inter-domain Collaboration Scheme to Remedy DDoS Attacks in Computer Networks. In: IEEE Transactions on Network and Service Management. 2018 ; Vol. 15, No. 3. pp. 879-893.

Bibtex

@article{4a8f6b6357fa4279b9bdade0f5b67973,
title = "An Inter-domain Collaboration Scheme to Remedy DDoS Attacks in Computer Networks",
abstract = "Distributed Denial-of-Service (DDoS) attacks continue to trouble network operators and service providers, and with increasing intensity. Effective response to DDoS can be slow (because of manual diagnosis and interaction) and potentially self-defeating (as indiscriminate filtering accomplishes a likely goal of the attacker), and this is the result of the discrepancy between the service provider's flow-based, application-level view of traffic and the network operator's packet-based, network-level view and limited functionality. Furthermore, a network required to take action may be in an Autonomous System (AS) several AS-hops away from the service, so it has no direct relationship with the service on whose behalf it acts. This paper presents Antidose, a means of interaction between a vulnerable peripheral service and an indirectly related AS that allows the AS to confidently deploy local filtering with discrimination under the control of the remote service.We implement the core filtering mechanism of Antidose, and provide an analysis of it to demonstrate that conscious attacks against the mechanism will not expose the AS to additional attacks. We present a performance evaluation to show that the mechanism is operationally feasible in the emerging trend of operators' willingness to increase the programmability of their hardware with SDN technologies such as OpenFlow, as well as to act to mitigate attacks on downstream customers.",
keywords = "Distributed Denial-of-Service, Antidose, mitigation, BPFabric, network security, network resilience, bandwidth saturation attacks, network management, inter-domain collaboration",
author = "Steven Simpson and Shirazi, {Syed Noorulhassan} and Angelos Marnerides and Simon Jouet and Dimitrios Pezaros and David Hutchison",
year = "2018",
month = sep,
day = "1",
doi = "10.1109/TNSM.2018.2828938",
language = "English",
volume = "15",
pages = "879--893",
journal = "IEEE Transactions on Network and Service Management",
issn = "1932-4537",
publisher = "IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC",
number = "3",

}

RIS

TY - JOUR

T1 - An Inter-domain Collaboration Scheme to Remedy DDoS Attacks in Computer Networks

AU - Simpson, Steven

AU - Shirazi, Syed Noorulhassan

AU - Marnerides, Angelos

AU - Jouet, Simon

AU - Pezaros, Dimitrios

AU - Hutchison, David

PY - 2018/9/1

Y1 - 2018/9/1

N2 - Distributed Denial-of-Service (DDoS) attacks continue to trouble network operators and service providers, and with increasing intensity. Effective response to DDoS can be slow (because of manual diagnosis and interaction) and potentially self-defeating (as indiscriminate filtering accomplishes a likely goal of the attacker), and this is the result of the discrepancy between the service provider's flow-based, application-level view of traffic and the network operator's packet-based, network-level view and limited functionality. Furthermore, a network required to take action may be in an Autonomous System (AS) several AS-hops away from the service, so it has no direct relationship with the service on whose behalf it acts. This paper presents Antidose, a means of interaction between a vulnerable peripheral service and an indirectly related AS that allows the AS to confidently deploy local filtering with discrimination under the control of the remote service.We implement the core filtering mechanism of Antidose, and provide an analysis of it to demonstrate that conscious attacks against the mechanism will not expose the AS to additional attacks. We present a performance evaluation to show that the mechanism is operationally feasible in the emerging trend of operators' willingness to increase the programmability of their hardware with SDN technologies such as OpenFlow, as well as to act to mitigate attacks on downstream customers.

AB - Distributed Denial-of-Service (DDoS) attacks continue to trouble network operators and service providers, and with increasing intensity. Effective response to DDoS can be slow (because of manual diagnosis and interaction) and potentially self-defeating (as indiscriminate filtering accomplishes a likely goal of the attacker), and this is the result of the discrepancy between the service provider's flow-based, application-level view of traffic and the network operator's packet-based, network-level view and limited functionality. Furthermore, a network required to take action may be in an Autonomous System (AS) several AS-hops away from the service, so it has no direct relationship with the service on whose behalf it acts. This paper presents Antidose, a means of interaction between a vulnerable peripheral service and an indirectly related AS that allows the AS to confidently deploy local filtering with discrimination under the control of the remote service.We implement the core filtering mechanism of Antidose, and provide an analysis of it to demonstrate that conscious attacks against the mechanism will not expose the AS to additional attacks. We present a performance evaluation to show that the mechanism is operationally feasible in the emerging trend of operators' willingness to increase the programmability of their hardware with SDN technologies such as OpenFlow, as well as to act to mitigate attacks on downstream customers.

KW - Distributed Denial-of-Service

KW - Antidose

KW - mitigation

KW - BPFabric

KW - network security

KW - network resilience

KW - bandwidth saturation attacks

KW - network management

KW - inter-domain collaboration

U2 - 10.1109/TNSM.2018.2828938

DO - 10.1109/TNSM.2018.2828938

M3 - Journal article

VL - 15

SP - 879

EP - 893

JO - IEEE Transactions on Network and Service Management

JF - IEEE Transactions on Network and Service Management

SN - 1932-4537

IS - 3

ER -