LU Ning, WANG Yulong, SHI Wenbo, LI Guorui, DIAO Ding. Filtering Location Optimization for Defending Against Large-Scale BDoS Attacks[J]. Chinese Journal of Electronics, 2017, 26(2): 435-444. doi: 10.1049/cje.2017.01.016
Citation: LU Ning, WANG Yulong, SHI Wenbo, LI Guorui, DIAO Ding. Filtering Location Optimization for Defending Against Large-Scale BDoS Attacks[J]. Chinese Journal of Electronics, 2017, 26(2): 435-444. doi: 10.1049/cje.2017.01.016

Filtering Location Optimization for Defending Against Large-Scale BDoS Attacks

doi: 10.1049/cje.2017.01.016
Funds:  This work is supported by the Doctoral Fund of Northeastern University at Qinhuangdao (No.XNB201410), the Fundamental Research Funds for the Central Universities (No.N130323005), the Natural Science Foundation of Hebei Province of China (No.F2015501122, No.F2016501076), the Doctoral Scientific Research Foundation of Liaoning Province (No.F201501143), the National Natural Science Foundation of China (No.61402094, No.61601107), and A Project Funded by the Priority Academic Program Development of Add All Numbers Together Higher Education Institute; Jiangsu Collaborative Innovation Center of Atmospheric Environment and Equipment Technology.
  • Received Date: 2015-10-22
  • Rev Recd Date: 2016-04-19
  • Publish Date: 2017-03-10
  • This paper focuses on selecting the appropriate filtering location to minimize the amount of filtering routers in the traceback-based packet filtering for defending against the large-scale Bandwidth denial-of-service (BDoS) attacks. The filtering location can be viewed as a resource allocation problem and further we formulate it to an integer linear programming model and design an exact and computationally efficient filtering location algorithm. The evaluation results show that our algorithm brings significant benefits in practice.
  • loading
  • J. Lee, "Scalable multicast based filtering and tracing framework for defeating distributed DoS attacks", International Journal of Network Management, Vol.14, pp.1-14, 2004.
    K. Argyraki and R.D. Cheriton, "Scalable network-layer defense against internet bandwidth-flooding attacks", IEEE/ACM Transactions on Networking, Vol.17, pp.1284-1297, 2009.
    D. Seo, H. Lee and A. Perrig, "APFS:Adaptive probabilistic filter scheduling against distributed denial-of-service attacks", Computers & Security, Vol.39, pp.366-385, 2013.
    X. Liu, X. Yand and Y. Lu, "To filter or to authorize:network-layer DoS defense against multimillion-node botnets", ACM SIGCOMM Computer Communication Review, Vol.38, pp.195-206, 2008.
    M. Fallah and N. Kahani, "TDPF:A traceback-based distributed packet filter to mitigate spoofed DDoS attacks", Security and Communication Networks, Vol.7, pp.245-264, 2014.
    H. Beitollahi and G. Deconinck, "Analyzing well-known countermeasures against distributed denial of service attacks", Computer Communications, Vol.35, pp.1312-1332, 2012.
    C.H. Sun and B. Liu, "Survey on new solutions against distributed denial of service attacks", Acta Electronica Sinica, Vol.37, No.7, pp.1562-1570, 2009.
    H. Roger, "Why you don't need to throw bandwidth at performance problems", http://www.techradar.com/news/networking, 2005.
    Cisco, "Transforming network capacity planning from an art to a science", http://www.cisco.com/c/dam/en/us/products/col-lateral/ios-nx-os-software/ios-netflow, 2005.
    G. Hu, K. Xu, J. Wu and Y. Cui, "A general framework of source address validation and traceback for IPv4/IPv6 transition scenarios", IEEE Network, Vol.27, pp.66-73, 2013.
    T. Kim, C. Basescu and L. Jia, "Lightweight source authentication and path validation", Proc. of ACM SIGCOMM, Chicago, Illinois, USA, pp.1-12, 2014.
    H. Wang, Q. Jia, F. Dan and P. Walter, "A moving target DDoS defense mechanism", Computer Communications, Vol.46, pp.10-21, 2014.
    B. Liu and V. Athanasios, "Toward incentivizing anti-spoofing deployment", IEEE Transaction on Information Forensics and Security, Vol.9, pp.436-450, 2014.
    Z.J. Wu, G. Li and M. Yue,"Detecting low-rate DoS attacks based on signal cross-correlation", Acta Electronica Sinica, Vol.42, No.9, pp.1760-1766, 2014.
    Z.J. Wu and B.S. Pei, "The detection of LDoS attack based on the model of small signal", Acta Electronica Sinica, Vol.39, No.6, pp.1456-1460, 2011.
    A. Vahid and A.N. Zincir-Heywood, "TDFA:Traceback-based defense against DDoS flooding attacks", Proc. of Advanced Information Networking and Applications, Victoria, Canada, pp.597-603, 2014.
    N. Lu, Y.L. Wang, S. Su and F.C. Yang, "A novel path-based approach for single-packet IP traceback", Security and Communication Networks, Vol.7, pp.309-321, 2013.
    A. Schrijver, Theory of Linear and Integer Programming, John Wiley & Sons, New York, USA, 1998.
    "Omnetpp++", www.omnetpp.org/, 2011.
    Cooperative Association for Internet Data Analysis, "ITDK 9812", http://www.caida.org/data/active/internet-topology-data-kit, 2011.
    X. Liao and C.W. Shu, "Reversible data hiding in encrypted images based on absolute mean difference of multiple neighboring pixels", Journal of Visual Communication and Image Representation, Vol.28, pp.21-27, 2015.
  • 加载中

Catalog

    通讯作者: 陈斌, bchen63@163.com
    • 1. 

      沈阳化工大学材料科学与工程学院 沈阳 110142

    1. 本站搜索
    2. 百度学术搜索
    3. 万方数据库搜索
    4. CNKI搜索

    Article Metrics

    Article views (147) PDF downloads(509) Cited by()
    Proportional views
    Related

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return