Defeating distributed denial-of-service attack with deterministic bit marking

Distributed denial-of-service (DDoS) attack is a serious threat in Internet. We propose a bit marking concept to identify and drop the DDoS attack packets. Bit marking is a variation of the packet marking technique that modifies packet headers at each router. However instead of storing the router information in the packets, bit marking alters one or more bits in the marking field. The bit marking process discussed in this paper is performed to all the packets and at all the routers along the path; hence it is called deterministic bit marking (DBM). DBM creates a common path signature for all the packets originating from the same location upon arriving at a destination. Since different source networks generate virtually unique path signatures, DBM makes it possible to isolate and discard DDoS attack traffic. From the Internet topology of autonomous systems we observe that the source networks are quite uniformly distributed over the path signature space. In our simulation over 99% of the attack traffic is blocked using DBM while up to 99% of the legitimate traffic passes. DBM can also be used for source traceback using reverse bit marking. DBM can be independently deployed for each ISP and the DBM-based networks can be protected from the attacks coming from nonDBM networks.