PacketScore: Statistical-based overload control against Distributed Denial-of-Service Attacks

critical threat to the Internet. Currently, most ISPs merely rely on manual detection of DDoS attacks after which offline fine-grain traffic analysis is performed and new filtering rules are installed manually to the routers. The need of human intervention results in poor response time and fails to protect the victim before severe damages are realized. The expressiveness of existing filtering rules is also too limited and rigid when compared to the ever-evolving characteristics of the attacking packets. Recently, we have proposed a DDoS defense architecture that supports distributed detection and automated on-line attack characterization. In this paper, we will focus on the design and evaluation of the automated attack characterization, selective packet discarding and overload control portion of the proposed architecture. Our key idea is to prioritize packets based on a per-packet score which estimates the legitimacy of a packet given the attribute values it carries. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation. Once the score of a packet is computed, we perform score-based selective packet discarding where the dropping threshold is dynamically adjusted based on (1) the score distribution of recent incoming packets and (2) the current level of overload of the system. One of the major threats to cyber security is Distributed Denial-of-Service (DDoS) attack in which the victim network element(s) are bombarded with high volume of fictitious, attacking packets originated from a large number of machines. The aim of the attack is to overload the victim and render it incapable of performing normal transactions. DDoS attacks can be categorized into end-point attacks and infrastructure attacks. In an end-point attack, the victim can be an individual end-host or, more typically, an entire customer stub-network served by an Internet Service Provider (ISP). In an infrastructure attack, high volume of attacking packets are forced through a port of an ISP router to create one or more choke-points within the ISP infrastructure based on the knowledge of the routing pattern within the domain. Currently, most ISPs merely rely on manual detection of DDoS attacks. Once an attack is reported, an offline fine-grain traffic analysis is performed by a subject-matter expert to identify and characterize the attacking packets. New filtering rules/ access control list are then constructed and installed manually to the routers according to the outcome of attack characterization. The need of human intervention results in poor response time and fails to protect …