DDoS Defense Deployment with Network Egress and Ingress Filtering

Abstract

In this paper, we propose a DDoS defense architecture, named NEIF (Network Egress and Ingress Filtering), which is deployed at the Internet Service Provider's (ISP) edge routers to prohibit DDoS attacks into and from the ISPs' networks. The main challenge is how to implement NEIF with a small fixed amount of memory and low implementation complexity so that it may be acceptable by ISPs. We first design a bloom filter based data structure to identify and measure a few relatively large flows instead of all flows, where the amount of required memory is independent of link speeds and the number of flows. Then, the relatively large flows are rate-limited to their fair share based on the packet symmetry-the ratio of received and transmitted packets of a host. The dropping decisions of each flow are made on the observed counters directly that are with low implementation complexity. Finally, we implement NEIF with Click and perform experiments on PlanetLab. The experimental results validate our analysis and show that the Internet can benefit from NEIF even under partial deployment.