Protecting Against Distributed Denial of Service (DDoS) Attacks Using Distributed Filtering

Abstract

We present a new scheme, distributed filtering service or DFS, for protecting services against distributed denial of service (DDoS) attacks. Our system is proactive and requires no changes to the Internet core, and no changes to existing ISP routers. DFS can be deployed incrementally, and benefits are obtained immediately. The key to our approach is forcing traffic destined for protected services to widely dispersed filtering points on the Internet, using IP anycast. DFS requires no unicast address nodes that can be targetted by an attacker; we are unaware of any other DDoS defensive system with this property. We also use two other techniques that have not been well used in DDoS defensive systems: key logging and the IPsec replay window. For the latter, we model attacks and give lower bounds for its effectiveness. We analyze DFS's resistance against large scale DDoS flooding attacks; DFS offers relatively strong protection against DDoS attacks