Trawling Traffic under Attack, Overcoming DDoS Attacks by Target-Controlled Traffic Filtering

As more and more services are provided by servers via the Internet, Denial-of-Service (DoS) attacks pose an increasing threat to the Internet community. A DoS attack overloads the target server with a large volume of adverse requests, thereby rendering the server unavailable to ¿well-behaved¿ users. Recently, the novel paradigm of traffic ownership that enables the clients of Internet service providers (ISP) to configure their own traffic processing policies has gained popularity. In this paper, we propose two algorithms belonging to this paradigm that allow attack targets to dynamically filter their incoming traffic based on a distributed policy. The proposed algorithms defend the target against DoS and distributed DoS (DDoS) attacks and simultaneously ensure that it continues to receive valuable users´ traffic. In a nutshell, a target can define a filtering policy which consists of a set of traffic classification rules and the corresponding amounts of traffic, measured in bandwidth units, which match each rule. The filtering algorithm is enforced by the ISP´s or the Network Service Provider´s (NSP) routers when a target is being overloaded with traffic. The goal is to maximize the amount of filtered traffic forwarded to the target, according to the filtering policy, from the ISP´s or the NSP´s network. The first algorithm we propose relies on complete collaboration among the ISP/NSP routers. It computes the filtering policy in polynomial time and delivers the best possible traffic mix to the target. The second algorithm is a distributed algorithm which assumes no collaboration among the ISP/NSP routers, each router only uses local information about its incoming traffic. We show the intuition behind the proof of lower bound on the second algorithm´s worst-case performance.