Tackling congestion to address distributed denial of service: a push-forward mechanism

Distributed denial of service attacks prevent legitimate users from accessing a target machine or the service a target machine provides. One common method of attack is overwhelming the target machine with a large volume of traffic. Thus, handling congestion indirectly leads to detection and recovery from distributed denial of service attacks. The Internet is an interconnected collection of autonomous systems. Every host on an autonomous system connects to the Internet through an access router. Monitoring the rate of packets to and from a host, at the access router, helps in identifying distributed denial of service attacks initiated at the host. Monitoring every access router leads to an effective distributed denial of service prevention, but is infeasible. An alternative is a combination of access router monitoring and intermediate router monitoring with a novel push-forward mechanism that provides good defense within manageable deployment requirements. Push-forward messages reduce the amount of traffic to monitor at the intermediate routers. Prototype testing and simulations of such a combination reveal good congestion detection and recovery time with very little performance overhead.