dFence: Transparent Network-based Denial of Service Mitigation

Abstract: 

Denial of service (DoS) attacks are a growing threat to the availability of Internet services. We present dFence, a novel network-based defense system for mitigating DoS attacks. The main thesis of dFence is complete transparency to the existing Internet infrastructure with no software modifications at either routers, or the end hosts. dFence dynamically introduces special-purpose middlebox devices into the data paths of the hosts under attack. By intercepting both directions of IP traffic (to and from attacked hosts) and applying stateful defense policies, dFence middleboxes effectively mitigate a broad range of spoofed and unspoofed attacks. We describe the architecture of the dFence middlebox, mechanisms for ondemand introduction and removal, and DoS mitigation policies, including defenses against DoS attacks on the middlebox itself. We evaluate our prototype implementation based on Intel IXP network processors.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {202599,
author = {Ajay Mahimkar and Jasraj Dange and Vitaly Shmatikov and Harrick Vin and Yin Zhang},
title = {{dFence}: Transparent Network-based Denial of Service Mitigation },
booktitle = {4th USENIX Symposium on Networked Systems Design \& Implementation (NSDI 07)},
year = {2007},
address = {Cambridge, MA},
url = {https://www.usenix.org/conference/nsdi-07/dfence-transparent-network-based-denial-service-mitigation},
publisher = {USENIX Association},
month = apr
}
Download

Presentation Audio

Links

Paper: 
http://usenix.org/event/nsdi07/tech/full_papers/mahimkar/mahimkar.pdf
Paper (HTML): 
http://usenix.org/event/nsdi07/tech/full_papers/mahimkar/mahimkar_html/index.html