Mitigating Network Denial-of-Service Through Diversity-Based Traffic Management

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3531)


In this paper we explore the feasibility of mitigating network denial-of-service (NDoS) attacks (attacks that consume network bandwidth) by dynamically regulating learned classes of network traffic. Our classification technique clusters packets based on the similarity of their contents – both headers and payloads – using a variation of n-grams which we call (p,n)-grams. We then allocate shares of bandwidth to each of these clusters using an adaptive traffic management technique. Our design intent is that excessive bandwidth consumers (e.g. UDP worms, flash crowds) are segregated so that they cannot consume bandwidth to the exclusion of other network traffic. Because this strategy, under congestion conditions, increases the packet drop rate experienced by sets of similar flows and thus reduces the relative drop rate of other, dissimilar flows, we characterize this strategy as diversity-based traffic management. We explain the approach at a high level and report on preliminary results that indicate that network traffic can be quickly and concisely learned, and that this classification can be used to regulate the bandwidth allocated to both constant packet and polymorphic flash UDP worms.


network denial of service flash worms traffic shaping network security diversity 


  1. 1.
    Staniford, S., Moore, D., Paxson, V., Weaver, N.: The Top Speed of Flash Worms. In: Proceedings of ACM Workshop on Rapid Malcode, WORM (2004)Google Scholar
  2. 2.
    Floyd, S., Fall, K.: Promoting the Use of End-to-End Congestion Control in the Internet. IEEE/ACM Transactions on Networking 7, 458–472 (1999)CrossRefGoogle Scholar
  3. 3.
    Widmer, J., Denda, R., Mauve, M.: A Survey of TCP-Friendly Congestion Control. IEEE Network (2001)Google Scholar
  4. 4.
    Matrawy, A., Lambadaris, I.: A Survey of Congestion Control Schemes for Multicast Video Applications. IEEE Communications Surveys and Tutorials 5, 22–31 (2003)CrossRefGoogle Scholar
  5. 5.
    Floyd, S.: TCP and Explicit Congestion Notification. ACM Computer Communications Review, 10–23 (1994)Google Scholar
  6. 6.
    Floyd, S., Jacobson, V.: Random Early Detection Gateways for Congestion Avoidance. IEEE/ACM Trans. on Networking, 397–413 (1993)Google Scholar
  7. 7.
    Estan, C., Varghese, G.: New Directions in Traffic Measurement and Accounting: Focusing on Elephants, Ignoring the Mice. ACM Trans. on Computer Systems 21, 270–313 (2003)CrossRefGoogle Scholar
  8. 8.
    Estan, C., Savage, S., Varghese, G.: Automatically Inferring Patterns of Resource Consumption in Network Traffic. In: Proceedings of ACMSIGCOMM 2003, Germany, pp. 270–313 (2003)Google Scholar
  9. 9.
    Clark, D., Fangand, W.: Explicit Allocation of Best Effort Packet Delivery Service. IEEE/ACM Trans. on Networking 6, 362–373 (1988)CrossRefGoogle Scholar
  10. 10.
    Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., Weiss, W.: An Architecture for Differentiated Services. RFC 2475 (1988)Google Scholar
  11. 11.
    Georgiadis, L., Guérin, R., Peris, V., Sivarajan, K.N.: Efficient Network QoS Provisioning Based on Per-Node Traffic Shaping. IEEE/ACM Transactions on Networking 4, 482–501 (1996)CrossRefGoogle Scholar
  12. 12.
    Elwalid, A., Mitra, D.: Traffic Shaping at a Network Node: Theory, Optimum Design, Admission Control. In: Proceedings of IEEE InfoCom 1997 (1997)Google Scholar
  13. 13.
    Mahajan, R., Bellovin, S., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling High Bandwidth Aggregates in the Network. Computer Communications Review (2002)Google Scholar
  14. 14.
    Ioannidis, J., Bellovin, S.: Implementing Pushback: Router-based Defense against DDoS Attacks. In: Proceedings of NDSS 2002 (2001)Google Scholar
  15. 15.
    Yaar, A., Perrig, A., Song, D.X.: SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In: IEEE Symposium on Security and Privacy (2004)Google Scholar
  16. 16.
    Heberlein, L., Dias, G., Levitt, K., Mukherjee, B., Wood, J., Wolber, D.: A Network SecurityMonitor. In: Proceedings of the IEEE Symposium on Security and Privacy (1990)Google Scholar
  17. 17.
    Hofmeyr, S.: An Immunological Model of Distributed Detection and its Application to Computer Security. PhD thesis, University of New Mexico (1999)Google Scholar
  18. 18.
    Singh, S., Estan, C., Varghese, G., Savage, S.: The EarlyBird System for Real-time Detection of Unknown Worms. Technical report - cs2003-0761, UCSD (2003)Google Scholar
  19. 19.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of OSDI 2004, San Francisco CA (2004)Google Scholar
  20. 20.
    Rabin, M.: Fingerprinting by Random Polynomials. Technical report 15-81, Harvard University (1981)Google Scholar
  21. 21.
    Kreibich, C., Crowcroft, J.: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In: Proceedings of HOTNETS-II (2003)Google Scholar
  22. 22.
    Kim, H., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th Usenix Security Symposium (2004)Google Scholar
  23. 23.
    Wang, K., Stolfo, S.J.: Anomalous Payload-based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Mahalanobis, P.: On the generalized distance in statistics. Proc. Natl. Institute of Science of India 2 (1936)Google Scholar
  25. 25.
    Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium (2002)Google Scholar
  26. 26.
    Matrawy, A., Somayaji, A., van Oorschot, P.: The Threat of Attacker Innovation to Flash Worm Defenses. Manuscript in Preparation (2005)Google Scholar
  27. 27.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N., et al.: The Spread of the Sapphire/Slammer Worm. Technical report, CAIDA (2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  1. 1.Carleton UniversityOttawaCanada

Personalised recommendations