The Coremelt Attack

  • Ahren Studer
  • Adrian Perrig
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


Current Denial-of-Service (DoS) attacks are directed towards a specific victim. The research community has devised several countermeasures that protect the victim host against undesired traffic.

We present Coremelt, a new attack mechanism, where attackers only send traffic between each other, and not towards a victim host. As a result, none of the attack traffic is unwanted. The Coremelt attack is powerful because among N attackers, there are O(N2) connections, which cause significant damage in the core of the network. We demonstrate the attack based on simulations within a real Internet topology using realistic attacker distributions and show that attackers can induce a significant amount of congestion.


Autonomous System Backbone Link Target Link USENIX Security Symposium Malicious Party 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Magoni, D.: Tearing down the internet (2003)Google Scholar
  2. 2.
    Savage, S., Cardwell, N., Wetherall, D., Anderson, T.: TCP Congestion Control with a Misbehaving Receiver. ACM SIGCOMM Computer Communication Review 29(5) (1999)Google Scholar
  3. 3.
    CAIDA: As relationships dataset (January 5, 2009),
  4. 4.
    Moore, D., Shannon, C.: The caida dataset on the code-red worms (July-August, 2001),
  5. 5.
    Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proceedings of the Large Installation System Administration Conference (2000)Google Scholar
  6. 6.
    Goodrich, M.: Efficient Packet Marking for Large-Scale IP Traceback. In: Proceedings of ACM CCS (November 2001)Google Scholar
  7. 7.
    Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-Based IP Traceback. In: Proceedings of ACM SIGCOMM 2001, pp. 3–14 (2001)Google Scholar
  8. 8.
    Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Schwartz, B., Kent, S.T., Strayer, W.T.: Single-Packet IP Traceback. IEEE/ACM Transactions on Networking (ToN) 10(6) (December 2002)Google Scholar
  9. 9.
    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proceedings of ACM SIGCOMM (August 2000)Google Scholar
  10. 10.
    Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against DDoS attacks. In: Proceedings of IEEE Symposium on Security and Privacy (May 2003)Google Scholar
  11. 11.
    Yaar, A., Perrig, A., Song, D.: SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In: Proceedings of IEEE Symposium on Security and Privacy (May 2004)Google Scholar
  12. 12.
    Yang, X., Wetherall, D., Anderson, T.: A DoS-limiting network architecture. In: Proceedings of ACM SIGCOMM (August 2005)Google Scholar
  13. 13.
    Argyraki, K., Cheriton, D.: Scalable Network-layer Defense Against Internet Bandwidth-Flooding Attacks. IEEE/ACM Transactions on Networking (2009)Google Scholar
  14. 14.
    Aura, T., Nikander, P., Leiwo, J.: DoS-resistant Authentication with Client Puzzles. In: Proceedings of Security Protocols Workshop (2001)Google Scholar
  15. 15.
    Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: Proceedings of USENIX Security Symposium (2001)Google Scholar
  16. 16.
    Juels, A., Brainard, J.: Client puzzles: A cryptographic countermeasure against connection depletion attacks. In: Proceedings of ISOC NDSS (1999)Google Scholar
  17. 17.
    Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., Hu, Y.-C.: Portcullis: Protecting connection setup from denial-of-capability attacks. In: Proceedings of the ACM SIGCOMM (August 2007)Google Scholar
  18. 18.
    Wang, X., Reiter, M.: Defending against denial-of-service attacks with puzzle auctions. In: Proceedings of IEEE Symposium on Security and Privacy (May 2003)Google Scholar
  19. 19.
    Chou, J., Lin, B., Sen, S., Spatscheck, O.: Proactive surge protection: A defense mechanism for bandwidth-based attacks. In: USENIX Security Symposium (2008)Google Scholar
  20. 20.
    Stoica, I., Shenker, S., Zhang, H.: Core-stateless fair queueing: A scalable architecture to approximate fair bandwidth allocations in high speed networks. In: Proceedings of ACM SIGCOMM (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Ahren Studer
    • 1
  • Adrian Perrig
    • 1
  1. 1.Carnegie Mellon UniversityUSA

Personalised recommendations