This paper presents the design and implementation of a filter-based DoS defense system (StopIt) and a comparison study on the effectiveness of filters and capabilities. Central to the StopIt design is a novel closed-control, open-service architecture: any receiver can use StopIt to block the undesired traffic it receives, yet the design is robust to various strategic attacks from millions of bots, including filter exhaustion attacks and bandwidth flooding attacks that aim to disrupt the timely installation of filters. Our evaluation shows that StopIt can block the attack traffic from a few millions of attackers within tens of minutes with bounded router memory. We compare StopIt with existing filter-based and capability-based DoS defense systems under simulated DoS attacks of various types and scales. Our results show that StopIt outperforms existing filter-based systems, and can prevent legitimate communications from being disrupted by various DoS flooding attacks. It also outperforms capability-based systems in most attack scenarios, but a capability-based system is more effective in a type of attack that the attack traffic does not reach a victim, but congests a link shared by the victim. These results suggest that both filters and capabilities are highly effective DoS defense mechanisms, but neither is more effective than the other in all types of DoS attacks.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	IEEE Standard 802.1X, http://www.ieee802.org/1/pages/802.1x.html, 2001
	2	D. Andersen, Mayday: Distributed Filtering for Internet Services, 2003
	3	D. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon and S. Shenker, Holding the Internet Accountable, ACM HotNets-VI, 2007
	4	T. Anderson, T. Roscoe and D. Wetherall, Preventing Internet Denial of Service with Capabilities, ACM HotNets-II, 2003
	5	K. Argyraki and D.R. Cheriton, Scalable Network-layer Defense Against Internet Bandwidth-Flooding Attacks, to appear in ACM/IEEE ToN
	6	K. Argyraki and D. R. Cheriton, Network Capabilities: The Good, the Bad and the Ugly, ACM HotNets-IV, 2005
	7	Jon C. R. Bennett , Hui Zhang, Hierarchical packet fair queueing algorithms, IEEE/ACM Transactions on Networking (TON), v.5 n.5, p.675-689, Oct. 1997  [doi>10.1109/90.649568]
	8	M. Casado, P. Cao, A. Akella and N. Provos, Flow-Cookies: Using Bandwidth Amplification to Defend Against DDoS Flooding Attacks, IWQoS, 2006
	9	Deterlab, http://www.deterlab.net/
	10	Colin Dixon , Thomas Anderson , Arvind Krishnamurthy, Phalanx: withstanding multimillion-node botnets, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.45-58, April 16-18, 2008, San Francisco, California
	11	P. Ferguson , D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, RFC Editor, 2000
	12	K. Foster, Application of BGP Communities, The Internet Protocol Journal, 6(2), 2003
	13	A. Keromytis, V. Misra and D. Rubenstein, SOS: An Architecture for Mitigating DDoS Attacks, IEEE JSAC, 22(1), 2004
	14	Eddie Kohler , Robert Morris , Benjie Chen , John Jannotti , M. Frans Kaashoek, The click modular router, ACM Transactions on Computer Systems (TOCS), v.18 n.3, p.263-297, Aug. 2000  [doi>10.1145/354871.354874]
	15	Theodore Dennis Krovetz , Phillip Rogaway, Software-optimized universal hashing and message authentication, University of California, Davis, 2000
	16	E. Larkin, Storm Worm's Virulence may Change Tactics, http://www.networkworld.com/news/2007/080207-black-hat-storm-worms-virulence.html, 2007
	17	R. Lemos, Bots Surge Ahead in March, http://www.securityfocus.com/brief/466, 2007
	18	Xin Liu , Ang Li , Xiaowei Yang , David Wetherall, Passport: secure and adoptable source authentication, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.365-378, April 16-18, 2008, San Francisco, California
	19	X. Liu, X. Yang and Y. Lu, StopIt: Mitigating DoS Flooding Attacks from Multi-Million Botnets, Technical report 08-05, University of California, Irvine, 2008
	20	Ratul Mahajan , Steven M. Bellovin , Sally Floyd , John Ioannidis , Vern Paxson , Scott Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.62-73, July 2002  [doi>10.1145/571697.571724]
	21	A. Mahimkar, J. Dange, V. Shmatikov, H. Vin and Y. Zhang, dFence: Transparent Network-based Denial of Service Mitigation, NSDI, 2007
	22	P. McKenny, Stochastic Fairness Queueing, IEEE INFOCOM, 1990
	23	J. Nazario, Estonian DDoS Attacks -- A Summary to Date, http://asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a-summary-to-date/, 2007
	24	K. Pagiamtzis and A. Sheikholeslami, Content-Addressable Memory (CAM) Circuits and Architectures: A Tutorial and Survey, IEEE Journal of Solid-State Circuits, 41(3), 2006
	25	Bryan Parno , Dan Wendlandt , Elaine Shi , Adrian Perrig , Bruce Maggs , Yih-Chun Hu, Portcullis: protecting connection setup from denial-of-capability attacks, Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, August 27-31, 2007, Kyoto, Japan
	26	Anirudh Ramachandran , Nick Feamster, Understanding the network-level behavior of spammers, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
	27	Marianne Shaw, Leveraging good intentions to reduce unwanted network traffic, Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, p.9-9, July 07, 2006, San Jose, CA
	28	E. Shi, I. Stoica, D. Andersen and A. Perrig, OverDoSe: A Generic DDoS Protection Service Using an Overlay Network, Technical Report CMU-CS-06-114, Carnegie Mellon University, 2006
	29	Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
	30	K. Spiess, Worm 'Storm' Gathers Strength, http://www.neoseeker.com/news/story/7103/, 2007
	31	Angelos Stavrou , Angelos D. Keromytis, Countering DoS attacks with stateless multipath overlays, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102153]
	32	Robert Stone, Centertrack: an IP overlay network for tracking DoS floods, Proceedings of the 9th conference on USENIX Security Symposium, p.15-15, August 14-17, 2000, Denver, Colorado
	33	Michael Walfish , Mythili Vutukuru , Hari Balakrishnan , David Karger , Scott Shenker, DDoS defense by offense, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
	34	D. Wendlandt, D. G. Andersen and A. Perrig, Fastpass: Providing First-Packet Delivery, Technical report, CMU-CyLab, 2006
	35	R. Wesson, Botnets and the Global Infection Rate: Anticipating Security Failures, http://www.stanford.edu/class/ee380/Abstracts/070606-slides.pdf, 2007
	36	A. Yaar, A. Perrig and D. Song, SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, IEEE Symposium on Security and Privacy, 2004
	37	X. Yang, D. Wetherall and T. Anderson, TVA: A DoS-limiting Network Architecture, IEEE/ACM Transactions on Networking (to appear), 2009

• ACM SIGCOMM Computer Communication Review
  Volume 38 ,  Issue 4   October 2008