Filtering Location Optimization for Defending Against Large-Scale BDoS Attacks

LU Ning; WANG Yulong; SHI Wenbo; LI Guorui; DIAO Ding

doi:10.1049/cje.2017.01.016

Volume 26 Issue 2

Turn off MathJax

Article Contents

Article Navigation > Chinese Journal of Electronics > 2017 > 26(2): 435-444

LU Ning, WANG Yulong, SHI Wenbo, et al., “Filtering Location Optimization for Defending Against Large-Scale BDoS Attacks,” Chinese Journal of Electronics, vol. 26, no. 2, pp. 435-444, 2017, doi: 10.1049/cje.2017.01.016

Citation:

LU Ning, WANG Yulong, SHI Wenbo, et al., “Filtering Location Optimization for Defending Against Large-Scale BDoS Attacks,” Chinese Journal of Electronics, vol. 26, no. 2, pp. 435-444, 2017, doi: 10.1049/cje.2017.01.016

Citation:

PDF( 924 KB)

Filtering Location Optimization for Defending Against Large-Scale BDoS Attacks

doi: 10.1049/cje.2017.01.016

1.
Northeastern University, Shenyang 110000, China;
2.
Nanjing University of Information Science and Technology, Nanjing 210044, China;
3.
Beijing University of Posts and Telecommunications, Beijing 100876, China

Funds: This work is supported by the Doctoral Fund of Northeastern University at Qinhuangdao (No.XNB201410), the Fundamental Research Funds for the Central Universities (No.N130323005), the Natural Science Foundation of Hebei Province of China (No.F2015501122, No.F2016501076), the Doctoral Scientific Research Foundation of Liaoning Province (No.F201501143), the National Natural Science Foundation of China (No.61402094, No.61601107), and A Project Funded by the Priority Academic Program Development of Add All Numbers Together Higher Education Institute; Jiangsu Collaborative Innovation Center of Atmospheric Environment and Equipment Technology.

Received Date: 2015-10-22
Rev Recd Date: 2016-04-19
Publish Date: 2017-03-10

Abstract

Abstract

This paper focuses on selecting the appropriate filtering location to minimize the amount of filtering routers in the traceback-based packet filtering for defending against the large-scale Bandwidth denial-of-service (BDoS) attacks. The filtering location can be viewed as a resource allocation problem and further we formulate it to an integer linear programming model and design an exact and computationally efficient filtering location algorithm. The evaluation results show that our algorithm brings significant benefits in practice.
- BDoS attack,
- Filtering location problem

FullText(HTML)

References(21)

References

J. Lee, "Scalable multicast based filtering and tracing framework for defeating distributed DoS attacks", International Journal of Network Management, Vol.14, pp.1-14, 2004.

K. Argyraki and R.D. Cheriton, "Scalable network-layer defense against internet bandwidth-flooding attacks", IEEE/ACM Transactions on Networking, Vol.17, pp.1284-1297, 2009.

D. Seo, H. Lee and A. Perrig, "APFS:Adaptive probabilistic filter scheduling against distributed denial-of-service attacks", Computers & Security, Vol.39, pp.366-385, 2013.

X. Liu, X. Yand and Y. Lu, "To filter or to authorize:network-layer DoS defense against multimillion-node botnets", ACM SIGCOMM Computer Communication Review, Vol.38, pp.195-206, 2008.

M. Fallah and N. Kahani, "TDPF:A traceback-based distributed packet filter to mitigate spoofed DDoS attacks", Security and Communication Networks, Vol.7, pp.245-264, 2014.

H. Beitollahi and G. Deconinck, "Analyzing well-known countermeasures against distributed denial of service attacks", Computer Communications, Vol.35, pp.1312-1332, 2012.

C.H. Sun and B. Liu, "Survey on new solutions against distributed denial of service attacks", Acta Electronica Sinica, Vol.37, No.7, pp.1562-1570, 2009.

H. Roger, "Why you don't need to throw bandwidth at performance problems", http://www.techradar.com/news/networking, 2005.

Cisco, "Transforming network capacity planning from an art to a science", http://www.cisco.com/c/dam/en/us/products/col-lateral/ios-nx-os-software/ios-netflow, 2005.

G. Hu, K. Xu, J. Wu and Y. Cui, "A general framework of source address validation and traceback for IPv4/IPv6 transition scenarios", IEEE Network, Vol.27, pp.66-73, 2013.

T. Kim, C. Basescu and L. Jia, "Lightweight source authentication and path validation", Proc. of ACM SIGCOMM, Chicago, Illinois, USA, pp.1-12, 2014.

H. Wang, Q. Jia, F. Dan and P. Walter, "A moving target DDoS defense mechanism", Computer Communications, Vol.46, pp.10-21, 2014.

B. Liu and V. Athanasios, "Toward incentivizing anti-spoofing deployment", IEEE Transaction on Information Forensics and Security, Vol.9, pp.436-450, 2014.

Z.J. Wu, G. Li and M. Yue,"Detecting low-rate DoS attacks based on signal cross-correlation", Acta Electronica Sinica, Vol.42, No.9, pp.1760-1766, 2014.

Z.J. Wu and B.S. Pei, "The detection of LDoS attack based on the model of small signal", Acta Electronica Sinica, Vol.39, No.6, pp.1456-1460, 2011.

A. Vahid and A.N. Zincir-Heywood, "TDFA:Traceback-based defense against DDoS flooding attacks", Proc. of Advanced Information Networking and Applications, Victoria, Canada, pp.597-603, 2014.

N. Lu, Y.L. Wang, S. Su and F.C. Yang, "A novel path-based approach for single-packet IP traceback", Security and Communication Networks, Vol.7, pp.309-321, 2013.

A. Schrijver, Theory of Linear and Integer Programming, John Wiley & Sons, New York, USA, 1998.

"Omnetpp++", www.omnetpp.org/, 2011.

Cooperative Association for Internet Data Analysis, "ITDK 9812", http://www.caida.org/data/active/internet-topology-data-kit, 2011.

X. Liao and C.W. Shu, "Reversible data hiding in encrypted images based on absolute mean difference of multiple neighboring pixels", Journal of Visual Communication and Image Representation, Vol.28, pp.21-27, 2015.

Relative Articles

Supplements(0)

Cited By

Proportional views