Stateful Anycast for DDoS Mitigation
Author(s)
Hansen, Richard E.
DownloadMIT-CSAIL-TR-2007-035.ps (4444.Kb)
Additional downloads
Other Contributors
Advanced Network Architecture
Advisor
Karen Sollins
Metadata
Show full item recordAbstract
Distributed denial-of-service (DDoS) attacks can easily cripple victim hosts or networks, yet effective defenses remain elusive. Normal anycast can be used to force the diffusion of attack traffic over a group of several hosts to increase the difficulty of saturating resources at or near any one of the hosts. However, because a packet sent to the anycast group may be delivered to any member, anycast does not support protocols that require a group member to maintain state (such as TCP). This makes anycast impractical for most applications of interest.This document describes the design of Stateful Anycast, a conceptual anycast-like network service based on IP anycast. Stateful Anycast is designed to support stateful sessions without losing anycasts ability to defend against DDoS attacks. Stateful Anycast employs a set of anycasted proxies to direct packets to the proper stateholder. These proxies provide DDoS protection by dropping a sessions packets upon group member request. Stateful Anycast is incrementally deployable and can scale to support many groups.
Description
MEng thesis
Date issued
2007-06-21Other identifiers
MIT-CSAIL-TR-2007-035
Series/Report no.
Massachusetts Institute of Technology Computer Science and Artificial Intelligence Laboratory