Mitigating distributed denial of service attacks with Multiprotocol Label Switching--Traffic Engineering (MPLS-TE)
Fulp, John D.
MetadataShow full item record
A Denial of Service (DoS) occurs when legitimate users are prevented from using a service over a computer network. A Distributed Denial of Service (DDoS) attack is a more serious form of DoS in which an attacker uses the combined power of many hosts to flood and exhaust the networking or computing resources of a target server. In recent years, DDoS attacks have become a major threat to both civilian and military networks. Multi-Protocol Label Switching with Traffic Engineering (MPLS-TE) is an emerging technology that allows explicit, bandwidth-guaranteed packet forwarding paths to be established for different traffic flows. It provides a means for diverting packets of a suspected DDoS attack for analysis and cleaning before forwarding them to the actual destination. The objective of this research was to implement and evaluate the performance of an MPLS-TE based solution against DDoS attacks on a realistic test-bed network consisting of Cisco routers. The test-bed has been integrated with SnortÂ®, an open source Intrusion Detection System (IDS), to achieve automatic detection and to mitigate DDoS attacks. The test-bed network was subject to a series of malicious traffic flows with varying degrees of intensity. The results demonstrated that MPLS-TE is very effective in mitigating such attacks. The overall system response time and the router CPU loads are comparable to those reported by two former NPS theses that examined alternative solutions based on BGP blackhole routing.
Approved for public release, distribution unlimited.
Showing items related by title, author, creator and subject.
Price, Patrick D. (Monterey, California. Naval Postgraduate School, 2003-03);Individual users, businesses, and governments have become functionally dependent on the Internet's connectivity to interact at the most basic levels of social and economic intercourse. Yet self-propagating worms and ...
Onder, Hulusi (Monterey, California. Naval Postgraduate School, 2004-03);Wireless Local Area Network (WLAN) technologies are becoming widely used since they provide more flexibility and availability. Unfortunately, it is possible for WLANs to be implemented with security flaws which are not ...
Neural detection of malicious network activities using a new direct parsing and feature extraction technique Low, Cheng Hong (Monterey, California: Naval Postgraduate School, 2015-09);The aim of this thesis is to develop an intrusion detection system (IDS) software, which learns to detect and classify network attacks and intrusions through prior training data. With the added criteria of operating in ...