ML: DDoS Damage Control with MPLS

  • Pierre-Edouard FabreEmail author
  • Hervé Debar
  • Jouni Viinikka
  • Gregory Blanc
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10014)


We present a DDoS mitigation mechanism dispatching suspicious and legitimate traffic into separate MultiProtocol Label Switching (MPLS) tunnels, well upstream from the target. The objective is to limit the impact a voluminous attack could otherwise have on the legitimate traffic through saturation of network resources. The separation of traffic is based on a signature identifying suspicious flows, carried in an MPLS label, and then used by a load-balancing mechanism in a router. The legitimite traffic is preserved at the expense of suspcious flows, whose resource allocations are throttled as needed to avoid congestion.


Multiprotocol Label Switching Quality of Service Volumetric DDoS Amplification DDoS Network resilience Bloom filter 



This research is supported by the European Seventh Framework Programme (FP7) and by the Japanese Ministry of Internal Affairs and Communication (MIC) during the project NECOMA under grant agreement No 608533, and by the French research program Programme d’Investissements d’Avenir (PIA) during the project SIEM+ under grant agreement P111271-3583256.


  1. 1.
    Cisco Security Intelligence Operations: Cisco 2014 Annual Security Report. Technical report, Cisco (2014)Google Scholar
  2. 2.
    Prince, M.: Technical details behind a 400gbps NTP amplification DDoS attackGoogle Scholar
  3. 3.
    Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: NDSS. The Internet Society (2014)Google Scholar
  4. 4.
    Casado, M., Cao, P., Akella, A., Provos, N.: Flow-cookies: using bandwidth amplification to defend against DDoS flooding attacks. Quality of Service - IWQoS 2006, pp. 286–287 (2006)Google Scholar
  5. 5.
    Greenhalgh, A., Handley, M., Huici, F.: Using routing and tunneling to combat DoS attacks. In: SRUTI. USENIX Association (2005)Google Scholar
  6. 6.
    Abujoda, A., Papadimitriou, P.: Midas: middlebox discovery and selection for on-path flow processing. In: COMSNETS, pp. 1–8. IEEE (2015)Google Scholar
  7. 7.
    Mahimkar, A., Dange, J., Shmatikov, V., Vin, H.M., Zhang, Y.: dFence: transparent network-based Denial of Service mitigation. In: NSDI. USENIX (2007)Google Scholar
  8. 8.
    Qazi, Z.A., Tu, C.C., Chiang, L., Miao, R., Sekar, V., Yu, M.: SIMPLE-fying middlebox policy enforcement using SDN. In: ACM SIGCOMM 2013 ConferenceGoogle Scholar
  9. 9.
    Paxson, V.: An analysis of using reflectors for distributed Denial-of-Service attacks. Comput. Commun. Rev. 31(3), 38–47 (2001)CrossRefGoogle Scholar
  10. 10.
    Cisco, I.: Unicast reverse path forwarding (1999)Google Scholar
  11. 11.
    Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827, May 2000Google Scholar
  12. 12.
    Systems, C.: Remotely triggered black hole filtering - destination based and source based. Technical report, Cisco Systems (2005)Google Scholar
  13. 13.
    Fung, C.J., McCormick, B.: VGuard: a distributed denial of service attack mitigation method using network function virtualization. In: Network and Service Management (CNSM), pp. 64–70, November 2015Google Scholar
  14. 14.
    Hachem, N., Debar, H., García-Alfaro, J.: HADEGA: a novel MPLS-based mitigation solution to handle network attacks. In: IPCCC, pp. 171–180. IEEE (2012)Google Scholar
  15. 15.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF). RFC 4765 (Experimental), March 2007Google Scholar
  16. 16.
    Teague, N.: Open threat signaling using RPC API over HTTPS and IPFIX. Internet-Draft draft-teague-open-threat-signaling-01, IETF Secretariat, July 2015Google Scholar
  17. 17.
    Cisco, I.: Netflow (2008)Google Scholar
  18. 18.
    Traffic monitoring using sflow (2003)Google Scholar
  19. 19.
    Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP Flow Information Export. RFC 5470, March 2009Google Scholar
  20. 20.
    Baker, Z.K., Prasanna, V.K.: Time and area efficient pattern matching on FPGAs. In: Tessier, R., Schmit, H. (eds.) FPGA, pp. 223–232. ACM (2004)Google Scholar
  21. 21.
    Roesch, M.: Snort: lightweight intrusion detection for networks. In: Parter, D.W. (ed.) LISA, pp. 229–238. USENIX (1999)Google Scholar
  22. 22.
    Vordos, I.: Mitigating distributed denial of service attacks with multi-protocol label switching-traffic engineering (MPLS-TE). Ph.D. thesis, Naval Postgraduate School (2009)Google Scholar
  23. 23.
    Understanding ACL on catalyst 6500 series switches. Technical report, CiscoGoogle Scholar
  24. 24.
    Dharmapurikar, S., Krishnamurthy, P., Taylor, D.E.: Longest prefix matching using bloom filters. IEEE/ACM Trans. Netw. 14(2), 397–409 (2006)CrossRefGoogle Scholar
  25. 25.
    Chan, E.Y.K., et al.: IDR: an intrusion detection router for defending against distributed denial-of-service (DDOS) attacks. In: ISPAN, pp. 581–586. IEEE Computer Society (2004)Google Scholar
  26. 26.
    Cohen, S., Matias, Y.: Spectral Bloom filters. In: Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, SIGMOD 2003, pp. 241–252. ACM, New York (2003)Google Scholar
  27. 27.
    Wang, H., Shin, K.G.: Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks. IEEE Trans. Parallel Distrib. Syst. 14(9), 873–884 (2003)CrossRefGoogle Scholar
  28. 28.
    Menth, M., Reifert, A., Milbrandt, J.: Self-protecting multipaths — a simple and resource-efficient protection switching mechanism for MPLS networks. In: Mitrou, N., Kontovasilis, K., Rouskas, G.N., Iliadis, I., Merakos, L. (eds.) NETWORKING 2004. LNCS, vol. 3042, pp. 526–537. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24693-0_44 Google Scholar
  29. 29.
    Kazmi, N.A., Koster, A.M.C.A., Branke, J.: Formulations and algorithms for the multi-path selection problem in network routing. In: ICUMT, pp. 738–744. IEEE (2012)Google Scholar
  30. 30.
    Murthy, S., Garcia-Luna-Aceves, J.J.: Congestion-oriented shortest multipath routing. In: Proceedings IEEE INFOCOM 1996, pp. 1028–1036. IEEE (1996)Google Scholar
  31. 31.
    Zhang, J., Xi, K., Zhang, L., Chao, H.J.: Optimizing network performance using weighted multipath routing. In: 21st International Conference on Computer Communications and Networks (ICCCN), 2012, pp. 1–7, July 2012Google Scholar
  32. 32.
    Rosen, E., Viswanathan, A., Callon, R.: Multiprotocol Label Switching Architecture. RFC 3031, January 2001Google Scholar
  33. 33.
    Awduche, D., Malcolm, J., Agogbua, J., O’Dell, M., McManus, J.: Requirements for Traffic Engineering Over MPLS. RFC 2702 (Informational), September 1999Google Scholar
  34. 34.
    Faucheur, F.L., et al.: Multi-Protocol Label Switching (MPLS) Support of Differentiated Services. RFC 3270, May 2002Google Scholar
  35. 35.
    Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)CrossRefzbMATHGoogle Scholar
  36. 36.
    Fan, L., Cao, P., Almeida, J.M., Broder, A.Z.: Summary cache: a scalable wide-area web cache sharing protocol. In: SIGCOMM, pp. 254–265 (1998)Google Scholar
  37. 37.
    Cisco: Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2 - Policing and Shaping OverviewGoogle Scholar
  38. 38.
    Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. In: CoNEXT, p. 8. ACM (2010)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Pierre-Edouard Fabre
    • 1
    • 2
    Email author
  • Hervé Debar
    • 2
  • Jouni Viinikka
    • 1
  • Gregory Blanc
    • 2
  1. 1.6cureColombellesFrance
  2. 2.Institut Mines-Telecom, Telecom SudParis, CNRS Samovar UMR 5157EvryFrance

Personalised recommendations