2006 USENIX Annual Technical Conference Abstract
Pp. 171184 of the Proceedings
LADS: Large-scale Automated DDoS Detection System
Vyas Sekar, Carnegie Mellon University; Nick Duffield, Oliver Spatscheck, and Jacobus van der Merwe, AT&T LabsResearch; Hui Zhang, Carnegie Mellon University
Abstract
Many Denial of Service attacks use brute-force bandwidth flooding of
intended victims. Such volume-based attacks aggregate at a target's
access router, suggesting that (i) detection and mitigation are best
done by providers in their networks; and (ii) attacks are most readily
detectable at access routers, where their impact is strongest.
In-network detection presents a tension between scalability and
accuracy. Specifically, accuracy of detection dictates fine grained
traffic monitoring, but performing such monitoring for the tens or
hundreds of thousands of access interfaces in a large provider network
presents serious scalability issues. We investigate the design space
for in-network DDoS detection and propose a triggered, multi-stage
approach that addresses both scalability and accuracy. Our
contribution is the design and implementation of LADS (Large-scale Automated DDoS
detection System). The attractiveness of this system lies in
the fact that it makes use of data that is readily available to an ISP,
namely, SNMP and Netflow feeds from routers, without dependence on
proprietary hardware solutions. We report our experiences using LADS
to detect DDoS attacks in a tier-1 ISP.
- View the full text of this paper in HTML and PDF. Listen to the presentation in MP3 format.
Until June 2007, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
|