A Gateway-based Defense System for Distributed Denial-of-Service Attacks in High-Speed Networks

We describe a defense system to contain Distributed Denial-of-Service (DDoS) flooding attacks in highspeed networks. We aim at protecting TCP friendly traffic, which forms a large portion of Internet traffic. DDoS flooding attacks tend to establish large numbers of malicious traffic flows to congest network. These flows are marked as TCP flows, and use spoofed source identifiers to hide their identities. Current network equipment lacks the countermeasure abilities for such kind of DDoS attack. We describe a gateway-based countermeasure approach. A gateway is a device that is inserted in some point of the network. We envision the gateway devices that are deployed in the network to collaboratively perform the desired countermeasure functions, including detection of DDoS flooding attacks and access control of network traffic. Given the nature of DDoS attack in high speed networks and the limitation of defense resources, it is impossible for the gateway to work on the individual level of on-going traffic flows. We use a groupbased strategy where we partition the network under DDoS attack into several subnetworks, and handle the traffic from the same subnetworks as an aggregate. This approach is applied both in attack detection and access control. With this strategy, the system can be free from the overhead to handle individual flows, and focus on the groups of traffic flows.