Mitigating distributed denial of service attacks with Multiprotocol Label Switching--Traffic Engineering (MPLS-TE)

Abstract

A Denial of Service (DoS) occurs when legitimate users are prevented from using a service over a computer network. A Distributed Denial of Service (DDoS) attack is a more serious form of DoS in which an attacker uses the combined power of many hosts to flood and exhaust the networking or computing resources of a target server. In recent years, DDoS attacks have become a major threat to both civilian and military networks. Multi-Protocol Label Switching with Traffic Engineering (MPLS-TE) is an emerging technology that allows explicit, bandwidth-guaranteed packet forwarding paths to be established for different traffic flows. It provides a means for diverting packets of a suspected DDoS attack for analysis and cleaning before forwarding them to the actual destination. The objective of this research was to implement and evaluate the performance of an MPLS-TE based solution against DDoS attacks on a realistic test-bed network consisting of Cisco routers. The test-bed has been integrated with Snort®, an open source Intrusion Detection System (IDS), to achieve automatic detection and to mitigate DDoS attacks. The test-bed network was subject to a series of malicious traffic flows with varying degrees of intensity. The results demonstrated that MPLS-TE is very effective in mitigating such attacks. The overall system response time and the router CPU loads are comparable to those reported by two former NPS theses that examined alternative solutions based on BGP blackhole routing.