Resistance against Distributed Denial of Service Attacks (DDoS) Using Bandwidth Based Admission Control

Internet hosts are threatened by large-scale Distributed Denial ofService (DDoS) attacks. The Path Identification DDoS defense scheme has recently been proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received. The previous work suggested depicts the Stack Path identification marking, a packet marking scheme based on path identification, and filtering mechanisms. To circumvent detection, attackers are increasingly moving from floods to attacks that mimic the behavior of a large number of clients, and target expensive higher-layer resources such as CPU, database and disk bandwidth. The resulting attacks are hard to defend against using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content. The proposal in this work improves our previous path identification scheme to protect network servers against DDoS attacks that masquerade the crowds. It provides rate filter authentication using verifiers different from other systems by using an intermediate stage to identify the IP addresses that ignore the verifier, and persistently bombard the server with requests despite repeated failures. Once these machines are identified, it blocks their requests, and allows access to legitimate users. It protects the