PISA*: A System for Control of DDoS Attacks

DDoS attacks can cause extreme performance degradation at network elements when a large number of malicious flows collaborate to cause congestion, resulting in a denial of service to legitimate users. The flows form a logical aggregate which is typically characterized by similar values in several fields in their packets. The fields and their similar values form a signature for the attack. The focus of this paper is on providing protection to legitimate users against such attacks by detecting significant signatures in network traffic and controlling aggregates of flows carrying these signatures. The paper proposes a system PISA* for deployment at a network element. The detection algorithm in PISA* is based on an improved version of our earlier randomized algorithm. A new control mechanism based on a drop probability function over an attribute named RED Drop Aggregate (RDA) is incorporated in PISA*. RDA is the normalized count of the number of RED (Random Early Detection) drops suffered by the flows carrying a signature. This paper discusses results from an implementation of PISA* that demonstrates that it is effective in detecting, isolating, and controlling offending traffic and providing protection to non-offending traffic.