Transcript Document

Controlling High Bandwidth
Aggregates in the Network
1
Goals:
Handle congestion


Limit DoS attacks
Allow flash crowds
Identify traffic aggregates

Subset of flows responsible for congestion
Integrate provider policy

Allow provider to configure drop
mechanism
2
Related Work
IP Traceback

Tries to find source of attack
Ingress/Egress Filtering

ISP filters packets with fake source addresses
Input debugging

Uses signatures to filter attack traffic
Scheduling:


Fair Queuing
Deficit Round Robin
3
ACC Design
Apply congestion control to aggregated
traffic
Two levels of control:

Local:
 Identification
 Control

Global:
 Pushback*
4
Issues
Collateral damage

Legitimate traffic may be inaccurately identified
and restricted
Routers may become synchronized and
simultaneously detect congestion

Insert jitter into monitoring interval
How to ensure fairness of flows


Separate identification and control
Use RED to manage queue drops
5
Application to DoS attacks:
Finding Aggregates
Match destination of each dropped IP
packet with longest matching prefix in
routing table
Periodically find most frequent prefix
See if destinations match longer prefix

E.g. maybe all dropped packets go to some
specific host.
6
Application to DoS attacks:
Rate Limiting*
Let:




wo be output bandwidth
wi be total input bandwidth
wb be bandwidth of aggregate
desired drop rate be 20%
Two conditions:


wi – wb <= 1.2*wo
wi – wb > 1.2*wo
7