In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection

6Citations
Citations of this article
16Readers
Mendeley users who have this article in their library.
Get full text

Abstract

A recent trend to mitigate large-scale distributed denial-of-service (DDoS) attacks is in-network filtering, where victims can deploy traffic-filtering rules in networks other than their own. However, given multiple constraints, such as the number of rules a victim can afford to deploy, the set of rules that DDoS defense entities allow a victim to deploy, and the amount of collateral damage to limit, the selection of rules has a large impact on the efficacy of an in-network filtering solution. In this paper, we introduce a new, offer-based operational model for in-network DDoS defense and formulate the NP-hard rule selection problem for this model. We then design an algorithm that overcomes the fundamental limitations of the classical ACO framework and transform it with several key changes to make it applicable to the domain of in-network DDoS defense. Finally, we use a real-world-based Internet routing topology and two real-world DDoS traces, along with one synthetic trace that follows the attack distribution of the recent Mirai DDoS attack, to evaluate the efficacy and runtime of our algorithm against four other rule selection algorithms, and show our algorithm is near-optimal.

Cite

CITATION STYLE

APA

Sisodia, D., Li, J., & Jiao, L. (2020). In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020 (pp. 153–164). Association for Computing Machinery, Inc. https://doi.org/10.1145/3320269.3384755

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free