{"title":"一种缓解带宽攻击的流量控制理论方法","authors":"Sui Song, C. Manikopoulos","doi":"10.1109/IAW.2006.1652116","DOIUrl":null,"url":null,"abstract":"Flooding-based distributed denial-of-service (DoS) attack presents a very serious threat to the stability of the Internet. However, current intrusion detection is unreliable and may have high false-positives. Rate-limiting is a better-suited response than complete filtering. Filtering out all the traffic to the victim would greatly damage misclassified flows, whereas rate-limiting still allows some packets to reach the destination and thus keeps connection alive. Allowing some attack packets through is acceptable, since the attack's overall impact depends on the volume of the attack packets. Moreover, if the flow-rate of low-priority is reduced, the high-priority flow would get more chances to access the server they share, which eventually reduce the congestion and improve the throughput of the high-priority flow. Based on tie concept of flow aggregation management architecture (Sui Song, et al., April 2006), we present a flow-based congestion control (FCC) architecture that consists of a flow-based quality-of-service (FQoS) regulator and PID controller. The whole system adopts a control-theoretic approach to adjust the traffic rate of every link (or server) so as to maintain the traffic rates at their desired level. In order to provide more fine-grained differentiated services (or flows) with different weight and maximally limit malicious services (or flows), we propose multilevel packet classification structure. Moreover, in order maximally to block flooding, the flow-based network intrusion detection (Sui Song, et al., April 2006) is used to classify each flow in the network into different priority classes and give different treatment to the flow-rates belonging to different classes. The architecture is shown to be highly flexible service differentiation and robust against different types of flooding attacks, and traditional network traffic control can be implemented using one common framework. This system has been evaluated by using simulated test-bed data. Results showed the success that the system mitigates bandwidth flooding attacks","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"220 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"A Control Theoretical Approach for Flow Control to Mitigate Bandwidth Attacks\",\"authors\":\"Sui Song, C. Manikopoulos\",\"doi\":\"10.1109/IAW.2006.1652116\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Flooding-based distributed denial-of-service (DoS) attack presents a very serious threat to the stability of the Internet. However, current intrusion detection is unreliable and may have high false-positives. Rate-limiting is a better-suited response than complete filtering. Filtering out all the traffic to the victim would greatly damage misclassified flows, whereas rate-limiting still allows some packets to reach the destination and thus keeps connection alive. Allowing some attack packets through is acceptable, since the attack's overall impact depends on the volume of the attack packets. Moreover, if the flow-rate of low-priority is reduced, the high-priority flow would get more chances to access the server they share, which eventually reduce the congestion and improve the throughput of the high-priority flow. Based on tie concept of flow aggregation management architecture (Sui Song, et al., April 2006), we present a flow-based congestion control (FCC) architecture that consists of a flow-based quality-of-service (FQoS) regulator and PID controller. The whole system adopts a control-theoretic approach to adjust the traffic rate of every link (or server) so as to maintain the traffic rates at their desired level. In order to provide more fine-grained differentiated services (or flows) with different weight and maximally limit malicious services (or flows), we propose multilevel packet classification structure. Moreover, in order maximally to block flooding, the flow-based network intrusion detection (Sui Song, et al., April 2006) is used to classify each flow in the network into different priority classes and give different treatment to the flow-rates belonging to different classes. The architecture is shown to be highly flexible service differentiation and robust against different types of flooding attacks, and traditional network traffic control can be implemented using one common framework. This system has been evaluated by using simulated test-bed data. Results showed the success that the system mitigates bandwidth flooding attacks\",\"PeriodicalId\":326306,\"journal\":{\"name\":\"2006 IEEE Information Assurance Workshop\",\"volume\":\"220 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2006-06-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2006 IEEE Information Assurance Workshop\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IAW.2006.1652116\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2006 IEEE Information Assurance Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IAW.2006.1652116","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
摘要
基于洪水的分布式拒绝服务(DoS)攻击对互联网的稳定造成了严重的威胁。然而,目前的入侵检测是不可靠的,可能有很高的误报。速率限制是比完全滤波更合适的响应。将所有流量过滤到受害者将极大地破坏错误分类的流,而限速仍然允许一些数据包到达目的地,从而保持连接存活。允许一些攻击数据包通过是可以接受的,因为攻击的总体影响取决于攻击数据包的数量。此外,如果降低低优先级流的流量速率,高优先级流将有更多的机会访问它们共享的服务器,最终减少拥塞,提高高优先级流的吞吐量。基于流聚合管理架构的概念(Sui Song, et al., April 2006),我们提出了一种基于流的拥塞控制(FCC)架构,该架构由基于流的服务质量(FQoS)调节器和PID控制器组成。整个系统采用控制理论的方法来调整各链路(或服务器)的流量速率,使流量速率保持在理想的水平。为了提供更细粒度、不同权重的差异化服务(或流),最大限度地限制恶意服务(或流),我们提出了多级包分类结构。此外,为了最大限度地阻断洪水,采用了基于流量的网络入侵检测(Sui Song, et al., 2006),将网络中的每条流划分为不同的优先级,并对属于不同级别的流量率进行不同的处理。该体系结构具有高度灵活的服务差异化和对不同类型洪水攻击的鲁棒性,传统的网络流量控制可以使用一个通用框架来实现。利用模拟试验台数据对该系统进行了评估。结果表明,该系统能够有效缓解带宽泛滥攻击
A Control Theoretical Approach for Flow Control to Mitigate Bandwidth Attacks
Flooding-based distributed denial-of-service (DoS) attack presents a very serious threat to the stability of the Internet. However, current intrusion detection is unreliable and may have high false-positives. Rate-limiting is a better-suited response than complete filtering. Filtering out all the traffic to the victim would greatly damage misclassified flows, whereas rate-limiting still allows some packets to reach the destination and thus keeps connection alive. Allowing some attack packets through is acceptable, since the attack's overall impact depends on the volume of the attack packets. Moreover, if the flow-rate of low-priority is reduced, the high-priority flow would get more chances to access the server they share, which eventually reduce the congestion and improve the throughput of the high-priority flow. Based on tie concept of flow aggregation management architecture (Sui Song, et al., April 2006), we present a flow-based congestion control (FCC) architecture that consists of a flow-based quality-of-service (FQoS) regulator and PID controller. The whole system adopts a control-theoretic approach to adjust the traffic rate of every link (or server) so as to maintain the traffic rates at their desired level. In order to provide more fine-grained differentiated services (or flows) with different weight and maximally limit malicious services (or flows), we propose multilevel packet classification structure. Moreover, in order maximally to block flooding, the flow-based network intrusion detection (Sui Song, et al., April 2006) is used to classify each flow in the network into different priority classes and give different treatment to the flow-rates belonging to different classes. The architecture is shown to be highly flexible service differentiation and robust against different types of flooding attacks, and traditional network traffic control can be implemented using one common framework. This system has been evaluated by using simulated test-bed data. Results showed the success that the system mitigates bandwidth flooding attacks
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
