An efficient distributed packet filtering heuristic for defense against distributed denial of service attacks

Denial-of-Service (DoS) and Distributed-Denial-of-Service (DDoS) attacks enable attackers to deny access to arbitrary services on the Internet. These attacks are dangerous and can cause significant disruption of services. Currently, there are few effective defenses against DoS/DDoS attacks. Source address spoofing, where a packet is inscribed with a source address other than the true source, is an important component of most DoS and DDoS attacks. We present a novel heuristic for route-based distributed packet filtering (DPF) to reduce the volume of spoofed traffic on the Internet. Our heuristic, which is a generalization of widely used ingress filtering, is an improvement over existing DPF methods and a better mechanism than other current DoS/DDoS defenses. It is effective even when implemented on a modest fraction of Internet systems, and can be implemented efficiently without additional Internet protocols. We suggest a number of discipline mechanisms that implementers may use to assure that the filtering has little or no adverse impact on Internet services while still providing protection against DoS/DDoS attacks.