Abstract

A major threat to the information economy is denial-of-service (DoS) attacks. These attacks are highly prevalent despite the widespread deployment of perimeter-based countermeasures. Therefore, more effective approaches are required to counter the threat. This requirement has motivated us to propose a novel, distributed, and scalable mechanism for effective early detection and prevention of DoS attacks at the router level within a network infrastructure. This paper presents the design details of the new mechanism. Specifically, this paper shows how the mechanism combines both stateful and stateless signatures to provide early detection of DoS attacks and, therefore, protect the enterprise network. More importantly, this paper discusses how a domain-based approach to an attack response is used by the mechanism to block attack traffic. This novel approach enables the blockage of an attack to be gradually propagated only through affected domains toward the attack sources. As a result, the attack is eventually confined within its source domains, thus avoiding wasteful attack traffic overloading the network infrastructure. This approach also provides a natural way of tracing back the attack sources, without requiring the use of specific trace-back techniques and additional resources for their implementation.