Vasilios A. Siris
and Ilias Stavrakis
Institute of Computer Science (ICS), FORTH and
Abstract
One of the most serious
security threats in the Internet are Distributed Denial of Service (DDoS) attacks, due to the significant service disruption
they can create and the difficulty to prevent them. In this paper, we propose
new deterministic packet marking models in order to characterize DDoS attack streams. Such common characterization can be
used to make filtering near the victim more effective. In this direction we
propose a rate control scheme that protects destination domains by limiting the
amount of traffic during an attack, while leaving a large percentage of
legitimate traffic unaffected. The above features enable providers to offer
enhanced security protection against such attacks as a value-added service to
their customers, hence offer positive incentives for them to
deploy the proposed models. We evaluate the proposed marking models using a
snapshot of the actual Internet topology, in terms of how well they
differentiate attack traffic from legitimate traffic in cases of full and
partial deployment.
Keywords: Distributed
Denial of Service (DDoS), defense
models, filtering
Back to Telecommunications &
Networks Lab publications