{"title":"基于P4的分布式SIP DDoS防御","authors":"Aldo Febro, Hannan Xiao, Joseph Spring","doi":"10.1109/WCNC.2019.8885926","DOIUrl":null,"url":null,"abstract":"SIP DDoS attack is growing and has a real threat to crippling public communication infrastructure. The standard approach to building the defense is at or near the attack destination (i.e. victim's location). This approach is struggling to keep up with the growing volume and attack sophistication. To be better prepared for future attacks, the workload needs to be distributed, and the attack needs to be mitigated as close to the attack source as possible. This paper experiments with data plane programming (P4) and control plane programming of Ethernet switches to provide first-hop detection and mitigation capability for SIP INVITE DDoS attack at every switchport. This approach creates a distributed or source-based defense component which could be added to the existing destination-based components to create a more comprehensive overall solution that is extensible, economical, and scalable against SIP DDoS attack of the future.","PeriodicalId":352128,"journal":{"name":"2019 IEEE Wireless Communications and Networking Conference (WCNC)","volume":"25 2","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":"{\"title\":\"Distributed SIP DDoS Defense with P4\",\"authors\":\"Aldo Febro, Hannan Xiao, Joseph Spring\",\"doi\":\"10.1109/WCNC.2019.8885926\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"SIP DDoS attack is growing and has a real threat to crippling public communication infrastructure. The standard approach to building the defense is at or near the attack destination (i.e. victim's location). This approach is struggling to keep up with the growing volume and attack sophistication. To be better prepared for future attacks, the workload needs to be distributed, and the attack needs to be mitigated as close to the attack source as possible. This paper experiments with data plane programming (P4) and control plane programming of Ethernet switches to provide first-hop detection and mitigation capability for SIP INVITE DDoS attack at every switchport. This approach creates a distributed or source-based defense component which could be added to the existing destination-based components to create a more comprehensive overall solution that is extensible, economical, and scalable against SIP DDoS attack of the future.\",\"PeriodicalId\":352128,\"journal\":{\"name\":\"2019 IEEE Wireless Communications and Networking Conference (WCNC)\",\"volume\":\"25 2\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-10-31\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"19\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 IEEE Wireless Communications and Networking Conference (WCNC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/WCNC.2019.8885926\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Wireless Communications and Networking Conference (WCNC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WCNC.2019.8885926","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
SIP DDoS attack is growing and has a real threat to crippling public communication infrastructure. The standard approach to building the defense is at or near the attack destination (i.e. victim's location). This approach is struggling to keep up with the growing volume and attack sophistication. To be better prepared for future attacks, the workload needs to be distributed, and the attack needs to be mitigated as close to the attack source as possible. This paper experiments with data plane programming (P4) and control plane programming of Ethernet switches to provide first-hop detection and mitigation capability for SIP INVITE DDoS attack at every switchport. This approach creates a distributed or source-based defense component which could be added to the existing destination-based components to create a more comprehensive overall solution that is extensible, economical, and scalable against SIP DDoS attack of the future.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
