PERFORMANCE EVALUATION OF ROUTE-BASED DISTRIBUTED PACKET FILTERING FOR DDOS PREVENTION IN LARGE-SCALE NETWORKS A Thesis

Kim, HyoJeong. M.S., Purdue University, December, 2003. Performance Evaluation of Route-based Distributed Packet Filtering for DDoS Prevention in Large-scale Networks. Major Professor: Kihong Park. This thesis studies performance evaluation of route-based distributed packet filtering (DPF) for spoofed distributed denial of service (DDoS) attack prevention in large-scale networks under dynamic network conditions. Our contribution is threefold. We design and implement a route-based DPF protocol which computes routebased filter tables dynamically in the presence of IP (Internet Protocol) routing table updates governed by BGP (Border Gateway Protocol), Internet’s inter-domain routing protocol. By introducing an additional signalling message type to BGP, our solution discovers source reachability information despite the destination-based and policy-based characteristics of BGP that is prone to generating asymmetric routes. We evaluate proactive protection performance of route-based DPF under dynamic network conditions including node failures and resulting transient system states. Benchmarking is carried out in large-scale Internet measurement topologies where we show that route-based DPF is robust and effective with respect to both proactive (containment) and reactive (traceback) performance. To facilitate large-scale simulation-based DDoS performance evaluation, we built the Dynamic DPF Simulator as an extension of DaSSFNet. By incorporating automated network configuration, partitioning, and run-time measurement and monitoring, we show that scalable network simulation is effected by enabling efficient memory, CPU, and communication load balancing in workstation clusters.