A High-Speed PacketScore DDoS Defense System

Distributed Denial of Service (DDoS) attacks pose a significant threat to the Internet while no effective defense schemes have been proposed or deployed. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attacking packets from good ones with the use of packet scoring (scores are calculated per-packet based on the attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold (lower scores are more likely to be the attacking ones). We extend the packet-scoring concept and devise new schemes to reduce implementation complexity and improve overall performance. More specifically, a Leaky-Bucket overflow control scheme simplifies the score computation. An Attribute-Value-Variation scoring scheme — a method based on analysis of deviations of the current traffic attribute values measured from a previously measured traffic baseline — increases the accuracy of detecting and differentiating attacks. An enhanced packet discarding method allows both schemes to be more adaptive to challenging attacks such as those that dynamically change their attacking types and intensity. The overall reduction in complexity, higher detection and differentiation accuracies, and great memory savings make the new schemes natural candidates for high-speed hardware implementations of DDoS defense systems.