IIT Home Page CNR Home Page

Commoditising DDoS Mitigation

Current practices in network security deployment require multiple specialised devices as firewalls, traffic shapers, sensors or Intrusion Detection Systems (IDSs) to handle malicious traffic. This practice not only increases the overall operational costs but also makes network administration complicated. The high cost of Distributed Denial of Service (DDoS) mitigation devices empowers centralised services and network architectures as there is not a cost-effective model to deploy them at the "true edge" of the network.

This paper describes the design and implementation of a multi-10 Gbit extensible network traffic analysis and policing system. It is composed of logical detection and enforcement functions built from reusable underlying primitives. As an example of such modular approach, we present an innovative DDoS scrubbing system composed of various attack detection primitives, combined with enforcement primitives that include traffic filtering, rate limiting, and proxying. Based on commodity hardware and open source software, such system is price, space, and power efficient enough to be practically deployable at the edge of the network. Performance measurements carried on 10Gbit networks, show that it can effectively provide both traffic visibility and enforcement of a wide range of network traffic policies 


TRAC Workshop 2016, Paphos, Cyprus, 2016

Autori esterni: Alfredo Cardigliano (ntop), Tord Lundstrom (Virtual Road)
Autori IIT:

Tipo: Abstract in atti di convegno
Area di disciplina: Information Technology and Communication Systems

File: CommoditisingDDoSMitigation.pdf

Attività: Analisi della qualità del Sistema DNS del ccTLD .it