Optimal Filtering for Denial of Service Mitigation

An optimal approach to mitigation of flooding denial of service attacks is presented. The objective is to minimize effect of the mitigation while protecting the server. The approach relies on routers filtering enough packets so that the server is not overwhelmed while ensuring that as little filtering is performed as possible. The optimal solution is to filter packets at routers through which the “attack packets” are passing. The identification of which router the packets are passing is carried out by routers filtering a small but time varying fraction of the packets. The arrival of packets at the server is correlated to router filtering providing an indication through which routers the attack packets are passing. Once sufficient confidence in the identification is achieved, the routers that forward more attack packets filter more packets than router that forward less attack packets.