History-Based Throttling of Distributed Denial-of-Service Attacks

Distributed Denial-of-Service (DDoS) attack has been identified as one of the most serious threats to Internet services. The attack denies service to legitimate users by flooding and consuming network resources of the target server. We propose a distributed defense mechanism that filters out malicious traffic and allows significant legitimate traffic during an actual attack. We investigate the features of network traffic that can be used to do such filtration and describe a history-based profiling algorithm to identify legitimate traffic. We use Bloom filters to efficiently implement the history-based profile model, which serves to reduce the communication and computation costs. To further improve communication and computation costs, we describe two optimizations: (a) using only three octets of the IP address to generate the history profile, and (b) a data structure called Compacted Bloom Filter, which is a modified version of a regular Bloom filter. We use these notions as building blocks to describe a distributed framework called Collaborative Filtering for filtering attack traffic as far away as possible from the target server. The proposed techniques identify a set of nodes that are best suited for filtering attack traffic, and places the Bloom filters in these locations. The approach is evaluated on different real-world data sets from Auckland University, CAIDA, and Colorado State University. Under different experimental settings, we demonstrate that 70–95% attack traffic can be filtered by our approach while allowing the flow of a similar percentage of legitimate traffic.