On Filtering of DDoS Attacks Based on Source Address Prefixes

Abstract

Distributed denial of service (DDoS) attacks are a grave threat to Internet services and even to the network itself. Widely distributed "zombie" computers subverted by malicious hackers are used to orchestrate massive attacks. Any defense against such flooding attacks must solve the hard problem of distinguishing the packets that are part of the attack from legitimate traffic, so that the attack can be filtered out without much collateral damage. We explore one technique that can be used as part of DDoS defenses: using ACL rules that distinguish the attack packets from the legitimate traffic based on source addresses in packets. One advantage of this technique is that the ACL rules can be deployed in routers deep inside the network where the attack isn't large enough to cause loss of legitimate traffic due to congestion. The most important disadvantage is that the ACL rules can also cause collateral damage by discarding some legitimate traffic. We use simulations to study this damage how it is influenced by various factors. Our technique is much better than uninformed dropping due to congestion, but it produces larger collateral damage than more processing-intensive approaches. For example it can reduce the attack size by a factor of 3 while also dropping between 2% and 10% of the legitimate traffic. We recommend the use of source address prefix based filtering in combination with other techniques, for example as a coarse pre-filter that ensures that devices performing the processing-intensive filtering are not overwhelmed