In-network server-directed client authentication and packet classification
Defenses against Distributed Denial-of-Service (DDoS) attacks are commercially available and deployed by Internet Service Providers (ISPs) at the network and transport layers. However, attackers increasingly target vulnerabilities at the application layer. Launched from bots, these attacks seek to exhaust server resources, such as CPU and disk bandwidth. Because these attacks use normal-looking requests, ISP defenses can't distinguish them. We describe Forward Sentinel (FS), a novel device that enables ISPs to protect servers against such attacks. When load on a server reaches a level suggestive of attack, FS intercepts traffic and requires the server's clients to authenticate. Moreover, protected servers can signal to FS the desired class of service for a client's packets (e. g., after client authentication by the server). FS can be configured to mark packets for different classes of service or drop them according to the results of client authentication, number of packets forwarded, and server signaling. Experiments demonstrate that FS can effectively protect servers against DDoS attacks at the network, transport, and application layers.
- Publisher
- LCN '10
- Issue Date
- 2010-10-10
- Language
- English
- Citation
35th Annual IEEE Conference on Local Computer Networks, LCN 2010, pp.328 - 331
- Appears in Collection
- RIMS Conference Papers
- Files in This Item
- There are no files associated with this item.
This item is cited by other documents in WoS
| ⊙ Detail Information in WoSⓡ | Click to see |  |
| ⊙ Cited 1 items in WoS | Click to see citing articles in |  |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.