Counteracting DDoS attacks in multiple ISP domains using routing arbiter architecture

Today Distributed Denial of Service (DDoS) attacks are causing major threat to perform online business over the Internet. Our previous work proposed an automated model with a new packet marking technique and agent design to counteract DDoS within a single ISP domain. Our approach has many features that are required to minimize the DDoS attacks. For example, our model is invoked only during attack times, identifies the approximate source of attack with a single packet even in case of spoofed source address, identifies different attack signatures for different attacking sources, prevents the attack nearest to the attacking source, has very fast response for any changes in attack traffic pattern, is simple in its implementation and can be incrementally deployed. Though the proposed model has several advantages, prevention of the attack is limited to a single ISP domain. In this paper we extend our model to prevent DDoS attacks in multiple ISP domains by retaining all the advantages achieved in our previous work. We also propose a practical implementation of the extended model with a presently working architecture.