Traffic Redirection Attack Protection System (traps)

Distributed Denial of Service (DDoS) attackers typically use spoofed IP addresses to prevent exposing their identities and easy filtering of attack traffic. This paper introduces a novel mitigation scheme, TRAPS, whereby the victim verifies source address authenticity by performing reconfiguration for traffic redirection and informing high ongoing-traffic correspondents. The spoofed sources are not informed and will continue to use the old configuration to send packets, which can then be easily filtered off. Adaptive rate-limiting can be used on the remaining traffic, which may be attack packets with randomly-generated spoofed IP addresses. We compare our various approaches for achieving TRAPS functionality. The end-host approach is based on standard Mobile IP protocol and does not require any new protocols, changes to Internet routers, nor prior traffic flow characterizations. It supports adaptive, real-time and automatic responses to DDoS attacks. Experiments are conducted to provide proof of concept.