Title: Distributed DoS Attack Prevention using Route-Based Packet Filtering Abstract: Effective mitigation of denial-of-service (DoS) attack is a pressing problem on the Internet. Most DoS attacks employ IP spoofing to hide the identity of the attacker's location. In many instances, DoS attacks can be prevented if the spoofed source IP address can be traced back to its origin. Recently IP traceback mechanisms have been proposed for achieving efficient traceback of DoS attacks. These traceback mechanisms, however, are susceptible to distributed DoS (DDoS) attacks. Moreover, they allow spoofed packets to exert their debilitating effect on server resources before reactively instituting corrective actions. In this talk, we describe route-based distributed packet filtering (DPF), a novel approach to DDoS prevention, which is able to solve the weaknesses of previous IP traceback mechanisms including probabilistic packet marking and ICMP message-based traceback. We show that by exploiting routing information associated with BGP, distributed packet filtering is able to achieve a synergistic filtering effect which proactively prevents significant---but not all---spoofed IP flows from reaching their target destinations in the first place. Those spoofed IP flows that cannot be prevented from penetrating are so few in number, however, such that their origin can be localized to within 5 sites facilitating effective IP traceback. Collectively, DPF renders 88% of possible attack sites impotent, i.e., no spoofed IP flow emanating from these sites can reach other target sites which promotes scalable DDoS attack prevention. This filtering effect can be achieved by performing the filtering function at less than 20% of all autonomous systems (AS) in the Internet which makes incremental deployment feasible. Lastly, we show that the distributed filtering effect intimately depends on the power-law connectivity structure of Internet topology. About The Speaker : Dr. Heejo Lee is a Chief Technology Officer at Ahnlab, Inc. This work was done while he was at the Network Systems Lab and CERIAS, Purdue University. He received his BS, MS, PhD in Computer Science and Engineering from Pohang University of Science and Technology (POSTECH), Korea in 1993, 1995 and 2000, respectively. His research interest includes network security, parallel scientific computing, and fault-tolerant computing. References: S. Savage, D. Wetherall, A. R. Karlin, T. Anderson, "Practical network support for IP traceback", 295-306, SIGCOMM 2000. K. Park, H. Lee, "On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack", 338-347, INFOCOM 2001. K. Park, H. Lee, "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets", 15-26, SIGCOMM 2001.