Security Integration in DDoS Attack Mitigation Using Access Control Lists

Security Integration in DDoS Attack Mitigation Using Access Control Lists

Sumit Kumar Yadav, Kavita Sharma, Arushi Arora
Copyright: © 2021 |Pages: 23
DOI: 10.4018/978-1-7998-5348-0.ch011
(Individual Chapters)
No Current Special Offers


In this article, the authors propose a DDoS mitigation system through access list-based configurations, which are deployed at the ISP (Internet Service Provider's) edge routers to prohibit DDoS attacks over ISPs' networks traffic. The effectiveness of the proposed system relies heavily on the willingness of ISPs in implementing the system. Once each ISP implements the system, most attacks can easily be stopped close to their point of origin. The main challenge is to implement such a system with the fixed amount of memory and available processing power with routers. A coordinated effort by participating ISPs filters out attacks close to their source, reducing the load on other routers. The suspicious traffic is first filtered out based on their source IP address. The authors also implemented the WRED algorithm for their case and conduct GNS3 experiments in a simulated environment.
Chapter Preview

Types Of Attacks

In this section, the two categories of DDoS attacks are explained in addition to DDoS attack taxonomy and well-known attacks.

Bandwidth Attacks

When a large amount of traffic is sent to the host or target network, an attack is carried out. This attack causes overuse of network bandwidth, memory or processing resources. If such traffic is left uncontrolled, devices in the target path such as routers, servers and firewalls can fail. In packet-flooding attack (a type of bandwidth attack) a large number of seemingly legitimate - UDP (User Datagram Protocol) or TCP (Transmission Control Protocol), ICMP (Internet Control Message Protocol) - packets are sent to a specific destination. These packets may misrepresent their source IP (Internet Protocol) address to make detection even more difficult and lead to “spoofing”. An approach MULTOPS (MUlti-Level Tree for Online Packet Statistics) was proposed for bandwidth attack detection (Gil & Poletto, 2001). A framework based on header count, ramp-up behaviour and other techniques are used to classify DoS attacks (Hussain, Heidemann & Papadopoulos, 2003).

Complete Chapter List

Search this Book: