Mutual-aid team: Protect poor clients in rate-limiting-based DDoS defense

Distributed Denial of Service (DDoS) attack seriously threatens Internet-enabled applications and causes huge financial losses. To tackle this problem, rate limiting is widely adopted due to their effectiveness in high-volume traffic mitigation. However, a portion of valid packets, some of which are vital requests, from legitimate clients may be dropped unintentionally, as they are involved in the same aggregates with attack traffic. We call this phenomenon poor client problem. To protect these poor clients, this paper proposes a mutual-aid team system as a pioneer. Rather than pursuing a perfect classification method, which is impossible, we provide additional service for poor clients via valid flow redirection. In core defense, the mutual-aid team system adopts existing rate-limiting-based mechanism to prevent the victim from being overwhelmed. At edge networks, by joining in the mutual-aid team, mutual-aid members help each other forward valid flows to destinations, in a different aggregate that is not rate limited. As a result, poor client can successfully access the victim. We prove the validity of our approach via simulation. Compared with sole core defense, our mutual-aid team system significantly increases the proportion of valid packets that achieve destinations successfully.We also discuss deployment incentives of proposed approach, self-protection and fee-based service, which are strong economic encouragement for ISPs´ innovations.