Abstract

Reflector attacks are a variant of denial-of-service attacks that use unwitting, legitimate servers to flood a target. The attacker spoofs the target's address in legitimate service requests, such as TCP SYN packets. The servers, called "reflectors,'' reply to these requests, flooding the target. RAD is a novel defense against reflector attacks. It has two variants -- locally-deployed (L-RAD) and core-deployed (C-RAD). Local RAD uses message authentication codes (MACs) to mark outgoing requests at their source, so the target of a reflector attack can differentiate between replies to legitimate and spoofed requests. MACs can be validated either at the target machine or on a gateway router at the target's network. Core RAD, which is deployed at the AS level, handles larger attacks that overwhelm L-RAD. The source AS marks each packet it sends with a hash message authentication code (HMAC) and core ASes filter packets …

Date

December 7, 2009

Authors

Erik Kline, Matt Beaumont-Gay, Jelena Mirkovic, Peter Reiher

Conference

2009 Annual Computer Security Applications Conference

Pages

269-278

Publisher

IEEE