Browse > Article

Design of Defence Mechanism against DDoS Attacks in NCP-based Broadband Convergence Networks  

Han, Kyeong-Eun (한국전자통신연구원)
Yang, Won-Hyuk (전북대학교 컴퓨터공학과 영상정보신기술연구소)
Yoo, Kyung-Min (전북대학교 컴퓨터공학과 영상정보신기술연구소)
Yoo, Jae-Young (전북대학교 컴퓨터공학과 영상정보신기술연구소)
Kim, Young-Sun (한국전자통신연구원)
Kim, Young-Chon (전북대학교 컴퓨터공학과 영상정보신기술연구소)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.35, no.1B, 2010 , pp. 8-19 More about this Journal
Abstract
In this paper, we propose the NCP (Network Control Platform)-based defense mechanism against DDoS (Distributed Denial of Service) attacks in order to guarantee the transmission of normal traffic and prevent the flood of abnormal traffic. We also define defense modules, the threshold and packet drop-rate used for the response against DDoS attacks. NCP analyzes whether DDoS attacks are occurred or not based on the flow and queue information collected from SR (Source Router) and VR (Victim Router). Attack packets are dopped according to drop rate decided from NCP. The performance is simulated using OPNET and evaluated in terms of the queue size of both SR and VR, the transmitted volumes of legitimate and attack packets at SR.
Keywords
DDoS; Attack Detection; Rate Limiting; BcN;
Citations & Related Records
연도 인용수 순위
  • Reference
1 K. Jozic, "Tracing back DDoS attacks", Masters Thesis, 2002.
2 G. Zhang and M. Parashar, "Cooperative Defense against Network Attacks," Proceedings of WOSIS'05, ICEIS'05, INSTICC Press, pp.113-122, May, 2005.
3 Y. Fan, H. Hassanein and P. Martin, "Proactive Control of Distributed Denial of Service Attacks with Source Router Preferential Dropping," Computer Systems and Applications'05, April, 2005.
4 J. Mirkovic, "D-WARD:Source-End defense Against Distributed Denial-of-Service Attacks", Ph.D Thesis, 2003.
5 D. Xuan, R. Bettati and W. Zhao, "A Gateway-based Defense System for Distributed DoS Attacks in High-speed Networks," Proceedings of 2001 IEEE workshop on Information Assureance and Security, June, 2001.
6 J. Mirkovic, G. Prier and P. Reiher, "Attacking DDoS at the Source," Proceedings of the ICNP'02, November, 2002.
7 M. Kim, H. Kong, S. Hong, S. Chung and J. Hong, "A Flow-based Method for Abnormal Network Traffic Detection," Proceedings of NOMS'04, pp.599-612, April, 2004.
8 R. Manajan, S. M. Bellovin, S. Floyd, J. Loannidis, V. Paxson and S. Shenker, "Controlling High Bandwidth Aggregates in the Network," ACM SIGCOMM Computer Communication, Vol.32, pp.62-73, July, 2002.
9 J. Mirkovic, M. Robinson, P. Reiher and G. Oikonomou, "Distributed Defense Against DDOS Attacks," Technical Report, University of Delaware CIS Department, Feb., 2006.