D-WARD: a source-end defense against flooding denial-of-service attacks
作者: J. Mirkovic , P. Reiher
DOI: 10.1109/TDSC.2005.35
关键词:
摘要: Defenses against flooding distributed denial-of-service (DDoS) commonly respond to the attack by dropping excess traffic, thus reducing overload at victim. The major challenge is differentiation of legitimate from so that policies can be selectively applied. We propose D-WARD, a source-end DDoS defense system achieves autonomous detection and surgically accurate response, thanks its novel traffic profiling techniques, adaptive response deployment. Moderate volumes seen near sources, even during attacks, enable extensive statistics gathering profiling, facilitating high selectiveness. D-WARD inflicts an extremely low collateral damage while quickly detecting severely rate-limiting outgoing attacks. has been extensively evaluated in controlled testbed environment real network operation. Results selected tests are presented paper.
computer.org
ieeecomputersociety.org
isi.edu 
acm.org 参考文章(25)
Ari Juels, John G. Brainard, Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks. network and distributed system security symposium. ,(1999)
Jussipekka Leiwo, Yuliang Zheng, A method to implement a denial of service protection base Information Security and Privacy. pp. 90- 101 ,(1997) , 10.1007/BFB0027946
Peter G. Neumann, Phillip A. Porras, Experience with EMERALD to Date ID'99 Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1. pp. 73- 80 ,(1999)
Thomer M. Gil, Massimiliano Poletto, MULTOPS: a data-structure for bandwidth attack detection usenix security symposium. pp. 3- 3 ,(2001) , 10.21236/ADA401819
J. Postel, Transmission Control Protocol Internet Request for Comment (RFC793). ,vol. 793, pp. 1- 91 ,(1981)
Mario Gerla, Peter Reiher, Jelena Mirkovic, D-ward: source-end defense against distributed denial-of-service attacks University of California, Los Angeles. ,(2003)
D. Schnackenberg, K. Djahandari, D. Sterne, Infrastructure for intrusion detection and response darpa information survivability conference and exposition. ,vol. 2, pp. 3- 11 ,(2000) , 10.1109/DISCEX.2000.821505
J. Postel, User Datagram Protocol RFC768. ,vol. 768, pp. 1- 3 ,(1980)
D. Senie, P. Ferguson, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing RFC 2827-BCP 38. ,vol. 2267, pp. 1- 10 ,(1998)
Brian White, Jay Lepreau, Leigh Stoller, Robert Ricci, Shashi Guruprasad, Mac Newbold, Mike Hibler, Chad Barb, Abhijeet Joglekar, An integrated experimental environment for distributed systems and networks ACM SIGOPS Operating Systems Review. ,vol. 36, pp. 255- 270 ,(2002) , 10.1145/844128.844152