DLimiter: Mitigating Distributed Denial of Service by Using Multiple Discipline Queues

A distributed denial of service (DDoS) attack is similar to a DoS attack except for the fact that the DDoS attack is launched from multiple hosts, hence the name distributed. A DDoS attack is more effective than a DoS attack and is much more difficult to detect and mitigate due to the distributed nature of its attacks. In this paper, we propose a low-cost system called DLimiter (DDoS Limiter). Its architecture can mitigate those attacks in which links near the target see their bandwidth exhausted before host resources. This is achieved using a hybrid low-cost router-based solution. It is a hybrid solution in the sense that it uses both router-based rate-limiting functions and Honey pot functionalities. Our main goal is to provide uninterrupted service to regular users (someone who makes a proper use of the server´s resources) during a DDoS attack. The system is based on a variable multi-queue discipline and works with linear and exponential queues that change depending on the duration of the attack. The system can also control flow rates just like a Honey pot. It is oriented to multi-core environments and functions at network layer. The system has been evaluated in six different scenarios, using real software and hardware, and the results show that it is able to mitigate the effects of a DDoS attack on regular users.