Defending Networks against Denial of Service Attacks

Abstract

Denial of service attacks, viruses and worms are common tools for malicious adversarial behaviour in networks. Experience shows that over the last few years several of these techniques have probably been used by governments to impair the Internet communications of various entities, and we can expect that these and other information warfare tools will be used increasingly as part of hostile behaviour either independently, or in conjunction with other forms of attack in conventional or asymmetric warfare, as well as in other forms of malicious behaviour. In this paper we concentrate on Distributed Denial of Service Attacks (DDoS) where one or more attackers generate flooding traffic and direct it from multiple sources towards a set of selected nodes or IP addresses in the Internet. We first briefly survey the literature on the subject, and discuss some examples of DDoS incidents. We then present a technique that can be used for DDoS protection based on creating islands of protection around a critical information infrastructure. This technique, that we call the CPN-DoS-DT (Cognitive Packet Networks DoS Defence Technique), creates a self-monitoring sub-network surrounding each critical infrastructure node. CPN-DoS-DT is triggered by a DDoS detection scheme, and generates control traffic from the objects of the DDoS attack to the islands of protection where DDOS packet flows are destroyed before they reach the critical infrastructure. We use mathematical modelling, simulation and experiments on our test-bed to show the positive and negative outcomes that may result from both the attack, and the CPN-DoS-DT protection mechanism, due to imperfect detection and false alarms.

6 Figures and Tables

Cite this paper

@inproceedings{Gelenbe2004DefendingNA, title={Defending Networks against Denial of Service Attacks}, author={Erol Gelenbe and Michael Gellman and George Loukas}, year={2004} }