Interactive Informatics on Internet Infrastructure

Document Sample
Interactive Informatics on Internet Infrastructure Powered By Docstoc
					     Interactive Informatics on Internet Infrastructure
              F Zhao, V. R. Vemuri, S. F. Wu                                     F Xue, S. J. B. Yoo
               Department of Computer Science                      Department of Electrical and Computer Engineering
                University of California, Davis                             University of California, Davis
            {fanzhao, rvemuri, sfwu}                              {fxue, yoo}

   Abstract- We present the design and evaluation of 14, a              Our contributions in this paper are as follows: First we
network infrastructure that enables information exchange and         present a generic inter-domain information exchange frame-
collaboration among different domains. 14 can help with network      work to tackle a large range of challenging problems. Sec-
management in many scenarios, such as when eliminating the
unwanted traffic to improve the network performance as well          ond, we present the detailed design of this infrastructure
as diagnosing the network problems. We present the Distributed       and demonstrate the effectiveness of information exchange
Denial-of-Service (DDoS) attack as an example to demonstrate         by using DDoS attack as an example. Third, we describe
the advantages of 14. Simulation results show that 14 can            accompanying algorithms and ideas, such as weight-based
significantly reduce the amount of DDoS attack packets and           resource allocation and scheduling, and "received key" based
dramatically improve the quality of services received by legit-
imate users. Our design provides attractive properties, such as      authentication mechanism that might be of independent inter-
incremental deployment as well as incentives for such deployment     ests.
etc.                                                                    Different from the traditional client-server mode, 14 is de-
                                                                     signed as a peer-to-peer overlay network, where every partici-
                      I. INTRODUCTION                                pating domain can initialize and respond the request. Without
   With the rapid growth of the Internet and applications, the       the centralized architecture, 14 not only scales well with the
network management becomes a more and more important                 size of the Internet, but also is robust against the single-point
issue. For example, the traffic on the today's Internet is mixed     failure. We design 14 to be practical in the following key
with the "good" and the "bad" packets, such as Denial-of-            aspects. First, 14 strongly incents both ISP domains and cus-
Service attack packets, Spam, Virus, Worm etc. However with          tomer domains to deploy. Second, 14 supports the incremental
the current Internet infrastructure, all the traffic is simply       deployment that allows the participating domains to have the
forwarded by the ISP domains with "best efforts" and the             immediate benefits. Third, we design the information exchange
destination domains can only passively receive all the traffic       procedure to be efficient and secure against various attacks.
arriving at their links. The bad packets not only waste the             This paper is organized as follows. Section II describes the
resources of their recipients, but also consume the band-            architecture of 14. Section III presents the detailed information
width inside the ISP domains, which adversely affects the            interaction procedure in the case of DDoS attacks. Section IV
performance of good end-to-end applications. Moreover, while         shows that the useful knowledge can be extracted from in-
overall still fairly stable, the Internet is fragile to failures due formation exchanged. Section V studies several procedures
to attacks or human mistakes and it is difficult to recover from     to throttle the DDoS attack traffic by applying the extracted
failures in a timely and effectively manner. Today only a few        knowledge and presents the NS-2 simulation results. In the
end-to-end measurement tools, such as traceroute and ping,           following sections we summarize the advantages of 14, discuss
and perhaps BGP information are available to help detect             related issues and present a survey of related works.
and diagnose the network problem, which provides limited
and sometimes confusing information. Network management                                 II. THE ARCHITECTURE OF 14
is vital to the success of the next generation Internet.             A. Overview
   In this paper, we propose Internet Information Interaction          Conceptually, each Autonomous System' (AS) in the Inter-
Infrastructure (14) to enable the information exchange among net supporting 14 has one 14 agent responsible for the task of
domains. In many scenarios, network management would information interaction in this domain (see Fig. 1). Generally
benefit from additional information from remote domains speaking, when one agent in the Internet observes a piece
involved in the network events. The information is interactively of original "information", e.g. one or a sequence of packets,
and automatically exchanged in 14, which helps the Internet it generates a query regarding this piece of information, and
adapt to network dynamics and response to network problems sends this query, usually together with some additional infor-
promptly without human involvement. Another benefit is that mation, to another agent that is responsible for interpreting the
the inter-domain collaboration is made possible. For example, query and providing an answer. Finally the agent that sent the
the ISP domain could leverage on the rich capability of query will take actions based on the content of the answer
intrusion detection in its customer domains to identify the received. This kind of information exchange is termed the
offending or unwelcome traffic. By eliminating the unwanted "pull" mode; because from the perspective of the initiator, the
traffic, the ISP domain saves the resources of both its customer
domains and itself.                                                    'In this paper, "AS" is used exchangeably with "domain".

                                            1-4244-0799-0/07/$25.00 t2007 IEEE                                                 90

          datackets             _        _9,   t              tUr        S               query or answer                             action
                                                                                                                         14 agent             router
Fig. 1. The 14 agent in Di, denoted by Ai, observes some packets in the
end-to-end communication between S and D. Aq    generates a query and sends                                               router 3
to the 14 agent, AD, in D. When this query arrives at D, AD generates an
answer with the help of local Intrusion Detection System (IDS) and other
knowledge, and returns back to A1. Finally A1 will make decisions based on
the content of the answer and its local policy.                                          Fig. 3.   Interactions between routers and an 14 agent
                                                   ____itiator_     esponder   In order to exert its capability, the 14 agent has to collaborate
                                                      query                    with other entities, such as IDS/IPS and routers. The necessary
                     query                 Intatranswer/query' Repd
           Initiatoranswer   Responder              ~answer'                   network and intra-domain routing configurations must be set
                                                                               up in advance in order for them to communicate with each
              (a) Pull mode                        (b) Push mode               other. Moreover, the security association between 14 agent and
                Fig. 2. Different information exchange modes                   other entities is established and the time-synchronization is
                                                                               maintained. These requirements are reasonable because they
last event in the information exchange procedure2 is to pull                   are under the same administration domain.
the information from the responder.                                               A router plays an important role in the information ex-
    One of the necessary conditions for information exchange                   change. First, it selects some data packets based on certain
is the availability of the responder's identity or location. How-              criteria and forwards them to the 14 agent so that a query
ever, due to asymmetric routing, the customer domain usually                   can be generated. Second, query and answer are forwarded
has no idea about which ISP domain currently forwards the                      by routers to the corresponding 14 agents based on their
traffic coming toward itself3. "Pull" mode may be the most                     Forwarding Information Bases (FIBs). In addition, during the
suitable way for information exchange in this situation: the                   transmission a router in the 14 domain checks whether an
ISP domain attaches its location/identity information in the                   incoming query or answer should be processed in this domain;
query so that the customer domain knows where to send the                      if so, the router forwards it to the local 14 agent. Third, after an
answer back.                                                                   14 agent receives the answer and decides the actions to take,
    In other scenarios, the initiator may already know the                     it communicates with routers where the decisions will take
identity/location of the responder, e.g. via previous information              effect. Fig. 3 shows such interactions between routers and an
exchange or a service agreement established through some                       14 agent.
additional channel. If this is the case, the query is not a                       It is also possible, especially in one large AS, that there
necessary condition for an answer to be triggered. This kind of                are multiple 14 agents set up for the purpose of fault-
information exchange is referred as "push" mode because the                    tolerance, load-balancing, etc. In order to achieve scalability
initiator pushes the information to the responder. Fig. 2 shows                when enabling the inter-agent communication, these 14 agents
the procedures of both modes. Note that a more complicated                     can be organized in the same way as route-reflection and
"push" mode may require some preliminary communication                         consolidation in BGP. The details of such kinds of inter-
to fulfill certain prerequisites for the final "push". Fig. 2(b)               agent communication protocol and hierarchy organization are
shows such an example.                                                         beyond the scope of this paper.
    To exchange information, query and answer can be either
piggybacked in the originally observed data packet or con- C. Security
veyed by an out-of-band message. Different choices result                           To secure the inter-domain information exchange, an estab-
in different tradeoffs between overhead and flexibility. Either lished security association (SA) is usually required. However,
way, query and answer are usually carried by unicast IP this requirement limits the scenarios where the information
packets that are routed by Internet standard routing protocol, exchange is feasible because 1) there is no global key manage-
i.e. BGP.                                                                         ment infrastructure, such as PKI, currently; 2) the information
                                                                                  exchange is needed even among those previously unacquainted
B. Intra-AS issues                                                                domains. In this subsection, we present some practical security
    Due to scalability consideration, the function of the 14 agent solutions that provide a "weaker" but reasonable security under
may be implemented in as few as just one node inside one AS. various information exchange modes.
                                                                                    1) BGP based key distribution mechanism: Fig 4 illustrates
   2Precisely speaking, all information exchange events are correlated more or    our idea using a simple topology where there are six ASes and
less in the long term, and all of them constitute one large procedure that lasts each number in the circle represents the AS number. Each
through the lifetime of one agent. In this paper, we abstract a set of temporally AS, i, generates a secret key, Ki. When AS 0 announces its
and content correlated events as one information exchange procedure.
   3Instead, the ISP domain can implicitly infer how to reach the agent in the network prefixes Pfo to its neighbor, e.g. AS 1, it includes a
customer domain from the destination IP address in the packets forwarded.         key (called "received key"), Kro8       H(Ko, 1) in the BGP

                                                                          0 and shown in Fig.keys, Kro,4 and two AS-paths to that
                                                                            As two received 4, AS 4 receives     We assume AS
              H(KO,1)                  H(H(KO,1),4)   H(H(H(KO,1),4),5)
    K00(                                                  ---C-- J        AS 4 is the initiator and AS 0 is the responder. In the "pull"
           H(KO2)       2<HH    2      )   H(H(H(K(0,2),3),4)             mode, AS 4 generates a query: (4 -> 1 -> 0 4 -> 3 >
                                                                          2 --> 0       the content of query      rtnonce MAC) where
                         H(H(KO,2),3                                      MAC = H(KrO,4,Kr3,4, 4 1- 0 4-> 3                      -- 2--
               Fig. 4. Multipath based authenticattion                    0 the content of query nonce). Usually this query will
                                                                          follow the best path back to AS 0. When AS 0 receives this
                                                                          query, it generates the corresponding received keys and verifies
message where H is a secure hash function Note that KrO,1                 MAC. If succeed, AS 0 generates an answer as follows:
can be securely transferred because the linik between AS 0                (the content of answer rtnonce+ 1 MAC) where MAC
and AS 1 is either a direct physical link or a logical link built
upon a pre-established peering relationship. AS 1 stores this
                                                                          H(KrO1,4,   Kro the content of answer nonce + 1). When
                                                                          AS 4 receives this answer, it will verify MAC. In the three-way
received key together with Pfo and the corre sponding AS path             "push" mode, AS 4 and AS 0 can even establish a shared key
in its routing information table. When AS / propagates Pfo                to further protect the confidentiality of information exchanged.
to its neighbor, e.g. AS 4, it generates anolther received key,           The details are skip here.
Kr4 = H(Kro, 4) = H(H(Ko, 1), 4), fcir AS 4. The same                        The availability of multiple AS paths enables AS 4 and AS
procedure is repeatedly applied by any inter]mediate AS when              0 to resist the Man-in-Middle attack because the attacker now
propagating Pfo. Note that each AS would use its own secret               has to control both AS paths to succeed. Multiple AS paths
key when announcing its own network prelfixes, and use the                are not only available to a multi-homed AS, but also a single-
received key when propagating the received network prefixes.              homed AS. For example, AS 5 may receive multiple different
When one AS receives multiple BGP messag,es regarding Pfo,                AS paths to AS 0 from AS 4 during routing dynamics. AS 5
it selects one AS path as the best one arid keeps the rest                can verify whether there is any "man" in the middle between
as the backup paths. In the following we (describe how this               AS 0 and AS 4; however it cannot detect whether AS 4 is
mechanism helps improve the security in va rious information              such an attacker.
exchange modes.                                                              4) Discussion and summary: To manage the keys, the
   2) Security improvement in one-way "pussh" mode: In this               origin AS can indicate the length of the validity period in
mode, we assume the initiator is AS 4 andI the responder is               seconds in the BGP messages, which does not require global
AS 0. As AS 4 takes the shortest path, 4 -> I -> 0, as the best           time synchronization.
path, it must receive a key Kr4 = H(H( Ko, 1), 4) associ-                    Although the information exchange is still vulnerable to the
ated with Pfo. In its answer to AS 0, AS 4 inicludes the current          dropping attack, the proposed mechanism makes it difficult for
best AS path and Message Authentication C-ode (MAC) gen-                  the on-path attacker to impersonate another domain. Further-
erated as follows: MAC = H(Kro,4, the content of answer 1                 more, it only requires a small extension to BGP message; as
4 -> 1 -> 0). When AS 0 receives this an,swer, it generates               MAC is attached to the query and the answer, no additional
KrO 41 from the received AS path and Ko, then reconstructs                secure exchange is needed.
MACI and compares it with the received M AC. AS 0 accepts                    The way we distribute the received key is similar with
the received answer if they match and oi therwise drops it                Listen&Whisper [18]. However, it is for different purposes.
silently.                                                                 Listen&Whisper focuses on verifying the integrity of different
   In this way the responder can assure thiat the initiator is            AS paths while we try to utilize the availability of multiple AS
indeed included in the AS path provided i]n the answer. An                paths for security protection of inter-domain communication.
attacker may try to forge the "path" in ordLer to avoid being             In fact, our scheme can be combined with Listen&Whisper to
identified during the information exchange. However, due to               provide better security for BGP.
the one-way property of hash function it cannot derive the III. INFORMATION INTERACTION IN THE CASE OF DDoS
correct keys used by other ASes (except the dlownstream ones).
Although the attacker can forge a longer pat]h that seems from
its downstream domains, it still has to inc]lude itself in this A. Overview
path. This improves the security of one-esvay "push" mode           DDoS attacks are deemed as the first-order threat in the
because otherwise the attacker could send tthe forged answer Internet. The infamous attack in February 2000 caused major
from anywhere without being detected.                            Internet portals such as Yahoo, eBay and E*Trade to shut
   3) Multi-path based authentication:    In tterms of security, down. Despite the lack of media attention after that, DDoS
"pull" mode and three-way "push" mode are better than attacks are even more severe and prevalent in the Internet.
the one-way "push" mode because the addlitional exchanges Today the binary codes or even the complete packages of
implicitly ensure that the answer is from the one who actually DDoS attack tools are readily available and do not require
receives the query before. However both aire still vulnerable sophisticated knowledge to launch. In a previous paper [13],
to Man-in-Middle attacks. To address this i:ssue, our solution the authors reported a surprisingly huge number of DDoS
leverages on the availability of multiple AS paths.              attacks observed in everyday traffic.

                                                                                                                  TABLE I
   We apply the "pull" information exchange mode in the case                                                PAYLOADS IN THE QUERY
of DDoS attack. We call the agent in the ISP domain "query
agent" and the agent in the customer domain (i.e. the target of                      Payload Type       Length      Description
attackers) "answer agent". As shown in Fig. 1, the information                        Query agent       4 bytes     the query agent's IP address at which the
exchange procedure can be formulated as a feedback model:                                                           answer will be received
                                                                                         Router ID      2 bytes     to identify the router that selects this data
the query is a signal to the customer domain while the answer                                                       packet
serves as a feedback to the ISP domain; after several times of                          Interface ID    1 bytes     to identify the interface where the
exchanges, this feedback mechanism would make the whole                                                             selected data packet arrives or departs
                                                                                        Timestamp       4 bytes     the local time when the router selects this
system converge to an equilibrium state. In the following we                                                        data packet
present detailed packet formats and information interaction                          Sequence No.      4 bytes      a counter maintained by the query agent
procedures.                                                                             Cookie         16 bytes     a random number generated for stateless
B. Query
   1) Query generation: To generate a query, routers in the                               These two payloads identify the origin of the information
ISP domain randomly select a data packet with a certain                                   (either a query or answer) received by an 14 agent. Also
probability, Pr, and forwards this selected packet4 to the query                          later a query agent can know where the corresponding
agent. We propose to piggyback the query in the selected                                  knowledge should be distributed.
data packet because an out-of-band query message results in                             . "Timestamp": It allows a query agent to learn the tem-
more overheads. It may cause the fragmentation if Maximum                                 poral property of the information received. This payload
Transmission Unit (MTU) is exceeded. If attackers use small                               together with "Router id" and "Interface id" is provided
packets, such as in SYN flooding attack, the probability that                             by routers to the query agent.
14 would cause the fragmentation is small. If large packets                             . "Sequence number": To resist the replay attack, this pay-
are used in attacks, with a large probability there is at least                           load contains the current value of a counter incremented
one query piggybacked in the first fragmentation if any; thus                             by one when a query is sent.
once an attack fragmentation is identified, the whole packet                            . "Cookie": It allows the query agent to statelessly verify
does not have to be re-assembled. The fragmentation issue is                              that the received answer is indeed in response to a query
related with many factors, such as characteristics of network                             generated by itself earlier. This payload contains the
links, the deployment of 14 and the attacker's strategies.                                output of the following formula:
   We propose a new type of IP protocol, called "query", which                                H(K, Query agent 1 destIP other payloads)                         (1)
is placed in the protocol field in the original IP header. The
query starts with a generic header where the next header field                           where K is the secret key generated by the query agent
indicates the type of next header, either an upper transport                              and H is a secure hash function.
protocol or another query. Each payload follows the Type-                          In the case of a DDoS attack, the query is like a question to
Length-Value (TLV) format as some payloads are optional or                         the answer agent: Is this selected data packet good or bad?
of variable size.                                                                     3) Query transmission: As the destination IP address is
   The value of Pr should be carefully chosen in order to strike                   not changed, the query is forwarded to the same destination
a balance between the overhead of IP packet processing and                         domain as the original data packet selected. Fig. 5 shows the
the amount of information exchanged. Furthermore, a router                         procedure of query transmission. A generates a query, QA,C,
could select the data packet from different aggregates5 [11]                       to C. If there is an 14 domain, say, B on the route from A to C,
with different probabilities, thus it can spend more resources                     it treats this received query just like a selected data packet: B
for some aggregates of special interests, e.g. those destined for                  first encrypts QA,C (except the generic header) with its secret
one preferred customer domain whose intention of reception                         key, KB, and then inserts its own query QB,C in between
is distributed proactively or reactively [5].                                      the IP header and QA,C. Note that the cookie payload in
   2) Query payloads: Table I lists the descriptions and the                       QB,C also covers the encrypted portion of QA,C. Finally
suggested lengths of payloads appearing in the query. Note that                    this query will arrive at the destination domain C.
in practice, there may be more efficient way to represent these                    C. Answer
payloads. We briefly discuss below the use of these payloads.                         1) Answer message generation: As the actual recipient,
(See section IV for more details.)                                                 the customer domain is the most appropriate one to answer
   . "Router ID" and "Interface ID": The administrator can                         whether this selected data packet is good or bad. In addition,
      assign unique numbers to routers and their interfaces.                       with the help of local IDS/IPS, it is indeed capable to provide
                                                                                   an   accurate answer 6
  4Additional information, such as the IP address or the identity of the router,     We use an out-of-band message to carry the answer because
the interface where this selected data packet arrives or departs, and the local
time, may be forwarded to the query agent as well.                                 some end-to-end communication is unidirectional. Similarly,
   5The traffic can be separated into aggregates based on the interfaces that
the packets arrive at or depart from, destination IP address or prefix, or the        61ndeed, the partial path information carried in the query may help identify
output of some clustering algorithm.                                               the attack packet.

                                                         IP header       src->dest                                                   TABLE III
                                                                      Generic header
                                                          QB->C        B     S
                                                                                                                POSSIBLE VALUES AND MEANINGS OF THE ANSWER PAYLOAD
                IP header      src->dest
                                                                                                                     Value          Description about the selected data packet
                            Generic header                            Generic header
                 QA->C       AR           I               QA->C        AR            IA   encrypted
                                                                                                              (00)16 < y < (64)16   the prob. as a bad packet is y%
                                                                                                                     (32)16         unknown, 50% as a bad packet
                                 others                                    othiers                                   (00)16         a good packet, 0% as a bad packet
           KA                    query             KB
                                                   doai                    query                 Kc                  (64)16         a bad packet, 100% as a bad packet
                                                 I14 domain \>                                14 domain
                                                     B          I
                                                                                                                 data payload, thus the query agent could install some
                                                                                                                 filters based on the received signature in the appropriate
                                 answer                                    answer
                IP header      dest->A                   IP headder      dest->B                                 routers.
                            Generic header                            Generic header
                                                                                                                 "Duration": This indicates the validity period of a pro-
                             RA IA
                 AC->A       T     S     C                                                                       vided signature. Note that the query agent may indepen-
                                                                                                                 dently set up the lifetime for the received signature rather
                                 others                               Generic header                             than based on this payload.
                                                                 cl                       encrypted           3) Answer message transmission: Fig. 5 shows the proce-
                                                                                                           dure of answer message transmission. When B receives an
Fig. 5. Information exchange procedure: RA, IA, TA, SA and CA denote                                       answer message from C, it first checks if this is a replayed
"Router ID", "Interface ID", "Timestamp", "Sequence number" and "Cookie"                                   message by examining the "Sequence number" payload, SB,
generated by A respectively. The payloads generated by B are denoted in the                                just like the anti-replay window mechanism in IPSec. Then B
same way. Note that C copies RB, IB, TB, SB and CB from the received
query QB-C into the answer message AC,B.
                                                                                                           reconstructs the cookie based on Equation 1 with IP addresses
                                                                                                           and related payloads as inputs. Note that the order of the
                            TABLE II                                                                       source IP address and the destination IP address in the received
            ADDITIONAL PAYLOADS IN THE ANSWER MESSAGE                                                      answer message should be reversed when calculating the
                                                                                                           cookie. B accepts this answer message if the output matches
 Payload Type               Length            Description                                                  with the "Cookie" payload, CB, received or simply discards it
    Content                 variable          IP header and the partial upper layer payloads
                                              in the selected data packet                                  otherwise. After the validation, B may update its knowledge
      Answer                 I byte           the evaluation result of the selected data packet            and take further actions based on the received information.
     Signature              variable          the signature of good or bad traffic                         Furthermore, B decrypts the first encrypted query, QA,C in
     Duration               4 bytes           the validity period of the supplied signature
                                                                                                          -this example and constructs an answer message for A based
                                                                                                           on, e.g. the "Content" payload and the "answer" payload,
                                                                                                           generated by C. When A receives AC,A from B, it follows
we   design      a new           type of IP protocol, called "answer"7. In the
                                                                                                           the same procedure to verify the received answer message and
answer message,     the source IP address is the destination IP                                            takes the information into consideration if succeed.
address in the received query, and the destination IP address
is the value of "Query agent" payload, i.e. the IP address of                                             D. Discussion
the query agent. The answer agent has various strategies to                                                  Our information exchange protocol is efficient and light-
respond to queries; for example, it may cluster the answers to                                            weight because it does not maintain the connection-oriented
a set of queries in one answer message in order to reduce the                                             states like in TCP. "Cookie" payload enables the query agent
overhead.                                                                                                 to statelessly verify the received answer message. It is com-
   2) Answer message payloads: All the payloads (except the                                               putationally impossible for an attacker to forge a valid cookie
first "Query agent" payload in cleartext, but including the                                               without the knowledge of the secret key, K. Although it is still
following encrypted portions) in the received query should                                                vulnerable to Man-in-Middle attack, it does not introduce any
be copied into the generated answer message. In addition, as                                              new threat. See section VII for more discussion on security
shown in Table II the following four new payloads may appear                                              issues.
in the answer message.                                                                                       Query and answer may be lost or reordered during the
      "Content": This allows the query agent to correlate the                                             transmission. With the anti-replay sliding window and the
      received answer with the originally selected data packet.                                           stateless verification, our protocol is robust against packet
      "Answer": This contains the evaluation result, namely, the                                          reordering. Moreover, "Timestamp" payload allows the query
      probability that the selected data packet is bad. Table III                                         agent to apply the received information properly, especially
      shows the possible values in this payload. The probability                                          when an answer experiences the long transmission delay.
      as a good packet can be calculated easily.                                                          Finally as we will show in section IV, adaptive sampling can
      "Signature": When combining with "Answer" payload,                                                  tolerate 14 packet loss.
      this optional payload indicates the signature of the good                                                IV. KNOWLEDGE EXACTION FROM INFORMATION
      or bad traffic represented by the header and/or the partial
  7The numeric values for the types of "query" and "answer" protocols will                                   From the information exchanged, the customer domain and
be assigned by IANA.                                                                                      the ISP domain can extract the knowledge about aggregates,

                                                                                                                               T=15 seconds
as we shall show below. An aggregate can be denoted by                                                                                                              Prob=l

 RI,R id,dC) if it is destined for a customer domain C                                .0
                                                                                                                                                                  Prob=0.1 -,
                                                                                                                                                                 Prob=0.02 13
and arrives at an interface -id of one particular router Rid                    a)                                                                              Prob=0.005    e

in the ISP domain I. Each element in this vector can be either
0 or represent a particular domain, router or interface. We                     e' 0.41
use Fig. 5 to illustrate our method. We use the following
notations: T is the length of the time period during which

a percentage is measured by counting the received answer                              0
                                                                                           0   20   40   60   80   100   120     140   160
                                                                                                                           Time (seconds)
                                                                                                                                              180   200   220   240   260   280   300

messages; NA is the number of answer messages regarding
this aggregate received during T; Nb is the number of                                  Fig. 6. Percentage of bad packets when T= 15
answer messages with negative evaluation results regarding
this aggregate received during T; Pc is the percentage of bad       a basic approach to estimate the percentage of bad packets.
packets of one aggregate.                                           Fig. 6 gives a simple result of implementing a "sample and
                                                                    hold" strategy which is nothing but a zero-order interpolation.
A. Knowledge                                                        From this figure we can see that when the probability of query
   1) The arrival rate of traffic: Every domain can estimate        generation becomes smaller, the error in estimation becomes
the arrival rate of aggregates arriving at their local links. We    bigger. However even when Pr = 0.005, the estimation is still
adopt the following formula from [11]:                              close to the real data. We will apply these parameters in the
           Rnew = (1 -e- )Rcurrent + e R0ld       o           (2)   simulation of rate-limiting DDoS attack traffic in section V.
                                                                       In the future, we propose to study this issue further in
where Rcurrent =-, t is the inter-packet interval, k is a           depth. For example, two questions that need to be answered
constant, e.g. k = 2 and I is the average length of data packets.   are: 1) how to adapt to the traffic dynamics and adjust the
   Moreover, with "Query agent", "Router ID" and "Interface         corresponding parameters to provide an accurate estimation?
ID" payloads in the received query, the customer domain C           2) how to apply the estimated percentage to the current
can estimate the arrival rate of aggregates forwarded by one        incoming traffic and promptly adapt to any rapid change?
remote ISP domain, B, because each query is a randomly                 To address the first question, we intend to apply an adaptive
selected sample of the traffic. For example, if within T seconds    sampling method where the sampling frequency depends on
the number of queries that C receives from B is NQ,B and the        the dynamic properties of the variables being sampled. To
probability of query generation is Pr, the rate of the aggregate    address the second question, we can analyze the trend from
(B, O,O, C) isPrQT packets per second.                              the last m measured percentages, then estimate Pc in the
   2) The percentage of bad packets: C can further estimate
                                                                    near future, for example, by Linear Mean Square Estimation
the percentage of bad packets, denoted by Pc, of the aggre-
                                                                    (LMSE) and ARMA. It is also useful to evaluate these
gates forwarded by B. For example, assume within T seconds
the number of queries from B received by C is NQ -1 and C           approaches with real DDoS attack traces from real networks.
generates the answers {Ao,... ,ANQ1}. Recall that Ai, 0 <
i < NQ -1, contains the probability that a selected data packet       V. EXAMPLES OF COLLABORATIVE DEFENSE AGAINST
is bad. Then Pc of the aggregate (B, 0, 0, C) during this time                        DDoS ATTACKS
period is estimated as NQ where 0 < i < NQ- 1. With
                           IAI                                         14 is capable to address any kind of unwanted traffic. If a
additional "Router ID" and "Interface ID", C can estimate Pc        "signature" is available, such as existing TCP sessions, non-
of even "smaller" aggregates, e.g. on a per-queue basis.            spoofing packet flooding and worm traffic, a filter based on
   Similarly, B can estimate Pc of the aggregate                    the answer message can be installed in the upstream domain.
(B, Rid, lid, C) based on the answer messages received              With the knowledge described in section IV, 14 is even more
from C. Assume that within T seconds, the answer messages           powerful in that it can address more challenging attacks, such
with the router id, Rid, and the interface id, lid, received        as spoofing attack8 and initial requests flooding [16]. In this
from C are {Ao,...,ANA_x i}. Then Pc of the aggregate               section, we assume a general form of the DDoS attack where
(B, Rid, lid, C) during this time period is N = A , where           a "signature" is not available.
0 < i < NA - 1.                                                        Our observation is that during a DDoS attack, bad traffic
   Note that we assume that each data packet in aggregates          contends limited resources, such as the packet scheduling, the
is discrete when calculating Pc. In fact, if one selected data      link bandwidth etc, with the good traffic. However, currently
packet belongs to one session, we can label all the packets in      the router cannot distinguish the "good" from the "bad". 14
this session based on the answer regarding this selected data       precisely addresses this limitation. In the following we show
packet.                                                             how knowledge learned from information exchanged would
B. More about percentage estimation                                 help mitigate the effects of DDoS attacks.
   A smaller query generation probability can reduce the
                                                                       8Due to the lack of IP address accountability, an attacker can easily conceal
processing overhead and traffic load, however it results in inac-   his/her location(s). Moreover a header or content based filter may cause the
curate percentage estimation. The previous subsection presents      bilateral damage.

A. Differentiated server load balancing mechanism                                                                 rae         dropped
                                                                                                          yes/          nt dropped
   Reference [10] proposed that during the DDoS attack a                    data packesens;/
server (the victim) indicates the load it desires to specific
upstream routers, then routers drop the excess traffic to                                                          no
the server. For example, assume that there are n upstream
domains, {Do, D1, ..., D-1 }, forwarding the traffic to one                                                             out
victim domain, V. V splits its total server load, S, into
{So Si, ..., S-} and then indicates this information to the                            Fig. 7.   Rate limiting procedure
corresponding upstream domains, Di. However in [10] V does
not split its server load optimally. As we described above, with   CPU or memory for each linecard, or without full-mesh
the information exchange the victim domain can now estimate        cross-bar. As it is these slower routers that are more likely
the volume of traffic forwarded by each upstream domain Di         congested during the DDoS attack, this proposed mechanism
and which upstream domain forwards the "better" traffic in         could significantly improve the performance of good sessions
terms of the percentage of bad packets within. Thus V can          if implemented in these bottlenecks.
assign the larger workloads to those Di forwarding a lower         C. Weighted aggregate-scheduling mechanism
percentage of bad packets, which makes the victim domain
not only receive the appropriate amount of traffic without            We propose another scheduling mechanism based on the
exceeding its capacity, but also serve more "good" packets         weight of aggregates inside each queue.
from the legitimate users.                                            1) Overview: Assume that there are n aggregates in one
                                                                   unidirectional queue, Q, {Ao, A1, ..., An- 1 }. The arrival rate
B. Weighted queue scheduling mechanism                             of Ai is Ri pkt/sec or Bi Mb/sec, thus the total arrival rate
   In this section we propose a weighted queue scheduling          of all aggregates is RBi Mb/sec. Also we assume that the
mechanism that schedules packet forwarding from one incom-         probability to generate an 14 query from the packets arriving
ing queue to one outgoing queue based on the weight assigned       at Q is P and the bandwidth of Q is B Mb/sec.
to the incoming queue.                                                When the queue is congested, the router starts to rate-limit
   1) Description: Given a router with n queues (Usually each      the incoming traffic in this queue. The total of excess traffic to
queue has the same characteristics, such as bandwidth and          be dropped is Bi- c * B where c is a constant factor. Fig. 7
delay.), {Qo, Q1, ..., Q, -}, let the percentage of bad packets    shows the procedure of processing an incoming packet in 14
in each queue Qi be pi. Each queue Qi is assigned a weight,        queue during the congestion. The router checks whether this
wi = f (- pi), where f () is an ascending function or simply       packet belongs to an aggregate to be rate-limited. If yes, the
f(x)   = X.                                                        packet is forwarded to a rate-limiter module that determines
   In the classical "Round Robin" scheduling mechanism, each       whether this packet should be dropped. If not, the packet is
Qi is scheduled with the same weight and then the percentage       forwarded to a query generation module that generates a query
of bad packets in the total traffic forwarded by this router       based on this packet with the probability P.
is equal to Y = 'Pi. In this proposed mechanism, the ratio
                     n                                                2) Rate-limiting algorithms: Algorithm 1 shows the pseudo
between the number of packets forwarded from Qi and the            code of greedy rate-limiting algorithm implemented in our
total number of packets forwarded by the router is equal to        simulation.
  Wi and the percentage of bad packets forwarded by the router
is equal to X = YP'*w' where i = 0,1,...,n -1. It can              Algorithm 1 Greedy rate-limiting algorithm
be easily proven that X > Y and X = Y if and only if               Sort the aggregates in the descending order of the percentage of bad
PO = P1 = ... = Pk. Thus the weighted queue scheduling             packets, for exmaple, {A1o, Ai, .., Ai, }.
mechanism is better than or as good as the "Round Robin"           j <= 0, E~ Z oRK -B where Ri, is the arrival rate of Ai and
                                                                   B is the link bandwidth.
mechanism in terms of the overall percentage of bad packets        Given an incoming packet, pkt, for each aggregate, Aij,
forwarded.                                                               if pkt C Aij
    By assigning a higher weight to the queue containing a                    pkt is dropped with the probability, min{EIRij, I},
lower percentage of bad packets, the router in the ISP domain                 and exit the loop.
spends more resources in forwarding the packets from these               else if Rij > E, then pkt is forwarded and exit the loop.
                                                                         else E <= E-Aij, j c= j + 1
"good" queues. Thus the queue with the higher percentage
of bad packets tends to become full and eventually more bad
packets are dropped.                                                  The time complexity of Algorithm 1 is O(n) where n is
   2) Discussion: The proposed mechanism is based on the           the number of aggregates. Other rate-limiting algorithms, such
preferential scheduling of the shared resources among inter-       as token-bucket rate-limiting algorithm [11] and weighted
faces. Although the modern "carrier-class" router starts to have   rate-limiting algorithm as described in section V-B, are also
more and more parallelism built in, there might still exist many   possible. Compared with ACC/Pushback [11], our proposal
central resources shared among linecards. Moreover there are       has more advantages: 1) the high-bandwidth aggregate may
still a lot of legacy routers, for example, without dedicated      not be attack traffic always; 2) with the information learned

             attacker                                       answer agent                                                            Percentage of bad packets forwarded
                          e    ent                             fdO                                                                                                                   Red

                                                                                                   "Z     0.8
                               14/Red/Droptail                                                     0-
               si               )queue                          dl


            good user                                       answer agent                           a)

                                                                                                          0.2   ~-

                        Fig. 8. The simulation topology                                                    0
                                  TABLE IV                                                                      0        50          100             150
                                                                                                                                              Time (seconds)
                                                                                                                                                                   200         250           300

                                                                                        Fig. 9.    Percentage of bad packets forwarded by various types of queues
 src   dst        bad traffic          total traffic         start            end                                                           TCP total throughput
                volume (Mbps)        volume (Mbps)     (Seconds)           (Seconds)                      70000
 so    do            0.1                    0.1           5.0                310.0                        60000

 8o    di            0.3                    0.3           5.0                310.0
 si    do             0                     0.3            0                 310.0                        50000

 si    di             0                     0.1            0                 310.0                        40000__

                                                                                                          30000_                                                                                   _

                                                                                                          20000_ ~ ; ~~~~~~Tm Scn
from the real recipient, the router has a better way to aggregate                                         10000_              _,_                                   --     .-

the flows together and drops more from bad aggregates.                                                                   50    0    100        150         200           250         300       350
   3) Aggregation: To make the rate-limiting more effective, it                                                                                Time (Seconds)

is better to consider the aggregates with the similar percentage                       Fig. 10. Throughput of TCP sessions with RED, Droptail and 14 queuing
of bad packets together. This may need to combine or separate
aggregates dynamically. Moreover, it may be more cost-                                 vides a more comprehensive view of the Internet activities.
effective to consider the aggregation of small aggregates as                           This collaboration mode has proven to be more effective than
a whole. An alternative is to ignore the small aggregate for                           doing-it-alone mode. For example, in the DoS attack, not only
now and consider it later at some downstream domains when                              the customer domain can avoid the saturation of its link, but
it has converged to a big enough aggregate. We plan to study                           also the ISP domain can reduce its network traffic load and
more about dynamic aggregation and the impacts of these two                            serve its customer better. We believe that there are mutual
different strategies on small aggregates in the future.                                benefits, thus strong incentives, for domains to collaborate
   4) Simulation: In the topology shown in Fig. 8, so is a DoS                         together by deploying 14.
attacker and s, is a good user. In order to simplify the problem,
we assume do and d1 have a way to identify the attack packets,                         B. Incremental deployment
such as based on the source IP address. We attach a query                                 14 can be deployed incrementally in the current power-law
agent to ro, and answer agents to do and dl. The traffic arriving                      Internet. Reference [9] shows that 50 ASes with the highest
at the queue (ro, rl) is separated into aggregates based on the                        node degrees could cover approximately 90% of all the paths
destination IP address, do and dl. In our NS-2 simulation, the                         and thus are able to examine most of the Internet traffic. If
bandwidth of (ro, rl) is 0.81Mbps, the probability to generate                         deploying 14 in these large ASes, a large portion of unwanted
a query is 0.005 and the time period to estimate the percentage                        traffic could be filtered out. Thus the participating domains
of bad packets is 15 seconds.                                                          can enjoy immediate benefits even with a small number of
   Table IV shows the background UDP traffic in the simula-                            deployments, which in return attracts more and more domains
tion. Besides, we also set up eight TCP(FTP) sessions between                          to participate.
si and do. Different from the UDP traffic, these good TCP
sessions start at 0.0 and end at 305.0.                                                C. Efficiency and Scalability
   We run the simulation when the type of (ro, rl) is 14                                  The information exchange procedure is stateless, efficient
or Droptail or RED (Random Early Dropping) during the                                  and robust against the state or resource exhaustion attack and
DoS attack. Fig. 10 shows the total throughput of eight TCP                            the unexpected situations, such as packet loss, reordering etc.
sessions to do averaged every 25 seconds with each type of                             Considering the burdensome recovery costs, the design of 14
queue. Fig. 9 shows the percentage of bad packets forwarded                            makes a good choice in the tradeoff between reliability and
by each type of queue. The simulation results demonstrate a                            efficiency.
seven fold improvement in TCP throughput and a four-fold                                  By designating one or several agents responsible for the task
reduction in the percentage of bad packets.                                            of information interaction of the whole domain, the number of
                                                                                       nodes to be upgraded in the Internet remains minimal; thus this
                         VI. ADVANTAGES OF 14                                          kind of hierarchy organization provides scalability9. Moreover,
A. Incentive of support
                                                                                         91f each router performs the functionality of 14 agent, the communication
  With 14, the participating domains could enjoy valuable                              delay can be reduced. So there is a tradeoff between scalability and perfor-
information that complements their local knowledge and pro-                            mance.

the routers can aggregate the flows, e.g. based on the network    packets is not changed. Also the impacts on the percentage
prefix, thus the amount of information may scale well even        estimation should be minimal as a certain amount of queries
with large number of network flows.                               are still kept. Another approach is to identify the domains
                                                                  where excess queries come from, e.g. based on the information
D. Universal                                                      of multiple AS paths carried in the query, and then inform
   14 is a universal architecture that can help tackle a large other benign 14 domains to block 14 packets from those
range of problems. For example, during worm outbreak, the domains. This would further motivate the local investigation.
capability of intrusion and anomaly detection in one customer        3) Answer flooding attack: The attackers may try to over-
domain can discover the worm signature. With 14, this knowl- whelm the ISP domains by flooding with answer messages. As
edge can be further distributed to other domains; thus the the forged answer messages do not contain the valid cookies
spread of worm can be stopped much faster than before. Also generated by a sequence of 14 domains, they will be dropped
the victim domain could generate the signature of DDoS attack when arriving at the first 14 domain, which significantly saves
traffic if possible and distribute this knowledge to its upstream the network bandwidth.
domain to throttle the attack. Even when the signature is not       4) Dishonest domain: A greedy/malicious customer do-
available, as shown in section IV, with the information of main may try to achieve more benefits by providing wrong
just one packet accumulated together, i.e. whether this packet answers. For example, it may identify an "attack" packet as
received by the victim is "good" or "bad", the ISP domain can "good" intentionally so that the probability for its aggregate to
preferentially drop attack packets and thus save more good be dropped is smaller. However it ends up with receiving more
packets.                                                          unwanted packets, which wastes its resources and adversely
   14 can also help with the network diagnosis. The ISP domain affects the performance of its legitimate users. Furthermore,
can provide the information, such as the link condition, the in order to incent an honest answer, the ISP domain can
statistic of flows, the root-cause of network failure, to the provide differentiated services to aggregates. For example, the
customer domain so that the customer domain can recover aggregate containing a higher percentage of bad packets is
from the diaster or leverage this information to improve the assigned a larger probability of query generation. Thus the
end-to-end performance, such as by multi-path routing, source percentage estimation is more accurate and the changes can
routing etc.                                                      be detected more quickly. Note that the total number of queries
                        VII. DISCUSSION                           generated is still kept the same. Thus the incentive to provide
                                                                  an honest answer is increased. In the future we plan to apply
A. Security analysis                                              game theory to analyze the interaction of different answer
   The attacker may try to evade, disable or even attack 14. In strategies.
the following, we discuss related threats and countermeasures.       5) Anonymity and privacy: Last but not least, our infor-
   1) Man-in-middle attack: To eavesdrop, modify, intercept mation exchange procedure provides anonymity and recov-
and even drop the 14 packet, the attacker must attach to the erable privacy, as the identity of original 14 domain could
same routing paths taken by these packets. This prerequisite be encrypted during the transmission. This would further
raises the bar to launch this kind of attack and also limits the increase the incentive of participation, especially when the ISP
scope of potential attackers to be at certain locations. The domain may concern that the information provided becomes
communicating peers can establish the security association the evidence against itself later.
(SA) to protect the confidentiality and integrity of information
exchanged based on multiple available AS paths even without B. Availability of I4 under stress
security architecture. Note that even with a SA, a man in the        The availability of 14 service is important to resist unwanted
middle can still drop the 14 packet. Other methods, such as traffic in the Internet. If there is more unwanted traffic, the 14
"WATCHER" [17], can be used to detect disruptive routers.         agent more likely generates an effective query, which in return
   2) Query flooding attack: The attacker may try to flood the helps remove the unwanted traffic. In other words, 14 is self-
customer domain with forged queries. If the attacker is inside reinforcing and self-protecting. Also a step-by-step approach
an 14 domain, the security association between the border is possible: Firstly, the victim domain informs the upstream
router and the 14 agent can detect the forged 14 packet. If domain of the acceptable amount of traffic when a severe
an attacker is inside a regular domain or an 14 domain is DDoS attack is detected, as in [10]; then after the upstream
compromised, the query flood can be injected into the Internet. domains stop forwarding the excess traffic, the victim domain
This issue can be addressed by rate-limiting the queries at provides more answer messages to help the upstream 14
border routers. For example, for a certain aggregate, if the domain drop more bad packets. We plan to conduct further
ratio between the number of queries and the number of data experiments in the test bed to evaluate these ideas.
packets is significantly larger than a threshold (e.g. the query
generation probability), the extra queries will be dropped. C. Overhead
Query flooding attack is just another form of DoS attack; thus       As more memory and CPU cycles are needed, 14 can
the more forged queries, the higher percentage of bad packets. slow down the packet forwarding. We implemented 14 by
If the queries are dropped randomly, the percentage of bad using libipq in Linux and ran it on a desktop PC with a P4

2.0GHz CPU and 256M RAM. On the average, 14 adds 0.2ms               discussion of general 14 architecture and then demonstrate
delay for each data packet during congestion. Although our           its advantages by using DDoS attack as an example. In this
implementation is not optimal and Linux is not the ideal OS          case, the customer domain expresses its preferences about the
for commercial routers, the result on the off-shelf hardware         current flows to the ISP domain so that the unwanted traffic
seems encouraging. We argue that by upgrading the hardware           can be dropped early. Our simulation results and theoretical
and optimizing router's architecture and 14 design, it is feasible   analyses show that the performance can be greatly improved
to deploy 14 in the future Internet.                                 with the information exchanged.
                     VIII. RELATED WORKS                                                X. ACKNOWLEDGE
   Our work leverages on many previous works in the litera-            This work is supported in part by NSF award # 0520333
ture. Due to the limitation of space, we focus on the DDoS           and AFOSR (Grant FA9550-04-1-0159).
related works.                                                                                    REFERENCES
   Early works in this field primarily target at the spoofing
DDoS attack. Ingress filtering [12] prevents this attack by          [1] s. M. Bellovin, "ICMP Traceback Messages", Internet Draft, March 2000.
                                                                     [2] s. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical Network
checking whether the source IP address falls into the net-               Support for IP Traceback', Proceedings of ACM SIGCOMM, August
work prefix of an edge domain. However there is no strong                2000.
incentive of deployment because 1) the effectiveness of such         [3] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio,
                                                                         S. T. Kent, and W. T. Strayer, "Hash-Based IP Traceback', Proceedings
mechanisms depends on universal deployment; 2) the attacker              of ACM SIGCOMM, August 2001.
is able to evade this mechanisms with just minor efforts.            [4] D. Song, and Adrian Perrig, "Advanced and Authenticated Marking
iTrace/traceback [1] [2] [3] [4] [5] is proposed to traceback            Schemes for IP Traceback", Proceedings of IEEE INFOCOM, April 2001.
                                                                     [5] A. Mankin, D. Massey, C.-L. Wu, S. F. Wu, and L. Zhang, "On Design
the true origin of spoofed packets by providing additional               and Evaluation of Intention-Driven ICMP Traceback", Proceedings of
(path) information to the victim. Despite a significant step, it         IEEE International Conference on Computer Communications and Net-
fails to consider the incentives of deployment: the information          works, October 2001.
                                                                     [6] A. Hussain, J. Heidemann, and C. Papadopoulos, "A Framework for
provided to victims cannot help stop the unwanted traffic                Classifying Denial of Service Attacks", Proceddings of ACM SIGCOMM,
remotely injected into the Internet. Given that the legal actions        August 2003.
may take a long time to start, ISPs and victims do not               [7] A. Yaar, A. Perrig, and D. Song, "Pi: A Path Identification Mechanism
                                                                         to Defend against DDoS Attacks", Proceedings of IEEE Symposium on
see the immediate benefits to justify the cost of deploying              Security and Privacy, May 2003.
iTrace/traceback. References [7] and [15] proposed to help           [8] A. Yaar, A. Perrig, and D. Song, "SIFF: A Stateless Internet Flow Filter
                                                                         to Mitigate DDoS Flooding Attacks", Proceedings of IEEE Symposium
filter the spoofed packet based on either the embedded path              on Security and Privacy, May 2004.
information or "hop count" at the edge of domains. However,          [9] Y. Xie, V. Sekar, D. Maltz, M. Reiter, and H. Zhang, "Worm Origin Iden-
the attack traffic cannot be dropped early.                              tification Using Random Moonwalks", Proceedings of IEEE Symposium
                                                                         on Security and Privacy, May 2005.
   ACC/Pushback [11] proposed to rate-limit the high-volume          [10] D. Yau, J. Lui, F. Liang, and Y Yam, "Defending against distrib-
aggregates during link congestion and to further push such               uted denial-of-service attacks with max-min fair server-centric router
information back to upstream routers. In [10], a server under            throttles", IEEE/ACM Transactions on Networking, Volume 13, Issue 1
stress installs router throttles in the upstream routers so that         (February 2005), Pages: 29 - 42, Year of Publication: 2005, ISSN:1063-
excess traffic is dropped before arriving. However neither can       [11] R. Mahajan, S. M. Bellovin, S. Floyd, J. loannidis, V. Paxson, and
distinguish the legitimate traffic from the attack traffic. 14 can       S. Shenker, "Controlling High Bandwidth Aggregates in the Network",
be combined with them to drop more attack packets.                       ACM SIGCOMM Computer Communication Review, Volume 32, Issue 3
                                                                         (July 2002), Pages: 62 - 73, Year of Publication: 2002, ISSN:0146-4833.
   SIFF [8] and TVA [16] proposed an end-host capability             [12] P. Ferguson, and D. Senie, "Network Ingress Filtering: Defeating Denial
control mechanism that allows an end host to selectively                 of Service Attacks Which Employ IP Source Address Spoofing", RFC
drop the unwanted packets. Our proposal is similar with this             2267, January 1998.
                                                                     [13] D. Moore, G. M. Voelker, and S. Savage, "Inferring Internet Denial-of-
concept; also 14 can address DoS attacks in any kind of traffic,         Service Activity", Proceedings of USENIX Security Symposium, August
such as unidirectional traffic and many other problems, such as          2001.
network diagnosis. Furthermore, our mechanism can be com-            [14] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks",
                                                                         Proceedings of IEEE INFOCOM, 2002.
bined with "fair-queuing" in TVA to achieve both fairness and        [15] C. Jin, H. Wang, and K. G. Shin, "Hop-Count Filtering: An Effective
prioritization. For example, we can reserve some bandwidth               Defense Against Spoofed Traffic", Proceedings of ACM CCS, October
for each flow and allocate the rest based on priorities.             [16] X. Yang, D. Wetherall, and T. Anderson, "A DoS-limiting Network
   There are a lot of works on analyzing and detecting the               Architecture", Proceedings of ACM SIGCOMM, August 2005.
DDoS traffic based on statistical methods, such as [6] [14].         [17] K. A. Bradley, S. Cheung, N. Puketza, B. Mukherjee, and R. A.
Reference [13] reports the DoS attack prevalence and dynam-              Olsson, "Detecting disruptive routers: A distributed network monitoring
                                                                         approach", Proceedings of IEEE Symposium on Security and Privacy,
ics in the Internet. These works greatly help us understand the          May 1998.
DDoS attack.                                                         [18] L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. H. Katz. "Listen
                                                                         and Whisper: Security Mechanisms for BGP", Proceedings of NSDI,
                    IX. CONCLUSIONS                                      March, 2004.

  We have presented the design of 14, a network infrastructure
of information interaction in the Internet. We start with the


Shared By: