A defense framework for flooding-based DDoS attacks

Distributed denial of service (DDoS) attacks are widely regarded as a major threat to the Internet. A flooding-based DDoS attack is a very common way to attack a victim machine by sending a large amount of malicious traffic. Existing network-level congestion control mechanisms are inadequate in preventing service quality from deteriorating because of these attacks. Although a number of techniques have been proposed to defeat DDoS attacks, it is still hard to detect and respond to flooding-based DDoS attacks due to a large number of attacking machines, the use of source-address spoofing, and the similarities between legitimate and attack traffic. In this thesis, we propose a distributed framework which will help to improve the quality of service of internet service providers (ISP) for legitimate traffic under DDoS attacks.;We evaluate the DDoS defense framework on a network simulation platform called NS2. We also evaluate the effectiveness of the two DDoS detection techniques independent of the proposed defense framework. The results demonstrate that both detection techniques are capable of detecting flooding-based DDoS attacks, and the defense framework can effectively control attack traffic in order to sustain the quality of service for legitimate traffic. Moreover, the framework shows better performance in defeating flooding-based DDoS attacks compared to the pushback technique, which uses a local aggregate congestion control mechanism to detect and control traffic flows that create congestion in a network.;The distributed nature of DDoS problem requires a distributed solution. In this thesis, we propose a distance-based distributed DDoS defense framework which defends against attacks by coordinating between the distance-based DDoS defense systems of the source ends and the victim end. The proposed distance-based defense system has three major components: detection, traceback, and traffic control. In the detection component, two distance-based detection techniques are employed. The distance value of a packet indicates the number of hops the packet has traversed from an edge router to the victim. First, an average distance estimation DDoS detection technique is used to detect attacks based on the average distance values of the packets received at the victim end. Second, a distance-based traffic separation DDoS detection technique applies a traffic rate forecasting technique for identifying attack traffic within traffic that is separated based on distance values. For the traceback component, the existing Fast Internet Traceback (FIT) technique is employed to find remote edge routers which forward attack traffic to the victim. Based on the proposed distance-based rate limit mechanism, the traffic control component at the victim end requests the source-end defense systems to set up rate limits on these routers in order to efficiently reduce the amount of attack traffic.