A control theoretical approach for flow control to mitigate bandwidth attacks

Document Type

Conference Proceeding

Publication Date

12-1-2006

Abstract

flooding-based distributed denial-of-service (DoS) attack presents a very serious threat to the stability of the Internet. However, current intrusion detection is unreliable and may have high false-positives. Rate-limiting is a better-suited response than complete filtering. Filtering out all the traffic to the victim would greatly damage misclassified flows, whereas rate-limiting still allows some packets to reach the destination and thus keeps connection alive. Allowing some attack packets through is acceptable, since the attack's overall impact depends on the volume of the attack packets. Moreover, if the flow-rate of low-priority is reduced, the high-priority flow will get more chances to access the server they share, which eventually reduce the congestion and improve the throughput of the high-priority flow. Based on the concept of flow aggregation management architecture [15], we present a Flow-based Congestion Control (FCC) architecture that consists of a Flow-based Quality-of-Service (FQoS) regulator and PID controller. The whole system adopts a control-theoretic approach to adjust the traffic rate of every link (or server) so as to maintain the traffic rates at their desired level. In order to provide more fine-grained differentiated services (or flows) with different weight and maximally limit malicious services (or flows), we propose multi-level packet classification structure. Moreover, in order maximally to block flooding, the flow-based network intrusion detection [15] is used to classify each flow in the network into different priority classes and give different treatment to the flow-rates belonging to different classes. The architecture is shown to be highly flexible service differentiation and robust against different types of flooding attacks, and traditional network traffic control can be implemented using one common framework. This system has been evaluated by using simulated test-bed data. Results showed the success that the system mitigates bandwidth flooding attacks. ©2006 IEEE.

Identifier

33845950333 (Scopus)

ISBN

[1424401305, 9781424401307]

Publication Title

Proceedings of the 2006 IEEE Workshop on Information Assurance

First Page

348

Last Page

360

Volume

2006

This document is currently not available here.

Share

COinS