A redirection-based defense mechanism against flood-type attacks in large-scale ISP networks

When DoS/DDoS and/or worm attacks occur, it is necessary for Internet service providers to filter out the attack packets and thus provide the users with high data-transmission quality. We propose a defense mechanism based on traffic redirection in which the edge and border routers divert suspicious packets to central defense nodes (C-DNs). For defense in large-scale networks, this is superior to conventional mechanisms such as pushback in terms of operating costs, because the required number of defense nodes is small. In the proposed redirection-based defense mechanism, tunnels are set up between all edge/ border routers and the C-DNs, and the packets destined for victims are diverted to the C-DNs by configuring the policy-based routing rules of the edge and border routers. We compare four techniques using tunneling in traffic-redirection and clarify the advantages of the proposed mechanism for defense in large-scale networks. We also evaluate the reduction in the required number of defense nodes: a reduction in the 25-60% range is possible with large networks.