A Four-StepTechnique forTackling DDoS Attacks

This paper proposes a novel feedback-based control technique that tackles distributed denial of service (DDoS) attacks in four consecutive phases. While protection routers close to the server control inbound traffic rate and keeps the server alive (phase 1), the server negotiate with upstream routers close to traffic sources to install leaky-buckets for its IP address. The negotiation continues until a defense router on each traffic link accepts the request (phase 2). Next, the server through a feedback-control process adjusts size of leaky-buckets until inbound traffic locates in a desired range (phase 3). Then through a fingerprint test, the server detects which port interfaces of defense routers purely carry good traffic and subsequently asks corresponding defense routers to remove the leaky-bucket limitations for those port interfaces. Additionally, the server amends size of leaky-buckets for the defense routers proportional to amount of good traffic that each one carries (phase 4). Simulation-based results shows that our technique effectively, defenses a victim server against various DDoS attacks such that in most cases more than 90% of good inbound traffic reaches the server while the DDoS attack has been controlled as well. © 2011 Published by Elsevier Ltd.