SBAC: Service Based Access Control

In this paper we propose a dynamically invoked Service Based Access Control (SBAC) Model to efficiently deal with the Distributed Denial of Service (DDoS) attacks. The main idea of the SBAC is based on the observation that if the routers have information about the services that are running on the end host and can identify the upper layer traffic from the IP packet payload, then it becomes easy to differentiate between legitimate and attack traffic for that particular victim server. To minimise the overhead on the routers, the SBAC model is invoked during the attack times only and the victim’s traffic is processed separately. The boundary routers in SBAC model validate each incoming packet to the victim on a per server basis. Only the packets that are considered to be accessing the legitimate services are passed and the remaining packets are dropped. Hence, at this stage the victim’s network is immune to any dynamic changes in attack pattern if the attack packets are not accessing the legitimate services at the victim end. The packets that are considered to be accessing legitimate services of the victim machine/network are marked with a unique ID and destined to the victim. If any of the received packets are found to be malicious, the unique ID enables the victim to identify service specific attack signature for each ingress SBAC router and prevent the attack traffic at that particular router. We will also discuss how the SBAC model deals with attacks on the infrastructure of the Autonomous System.