Discriminating Defense Against DDoS Attacks; a Novel Approach

TL;DR

This paper introduces a novel approach for DDoS defense by enabling sites to define important messages and discriminate them from malicious ones, proposing two mechanisms with and without router support.

Contribution

It presents a new criterion for message discrimination and two anti-DDoS mechanisms, addressing a long-standing challenge in DDoS mitigation.

Findings

Mechanism with router support effectively discriminates important messages.

Mechanism without router support offers a lightweight alternative.

Both mechanisms improve DDoS attack mitigation capabilities.

Abstract

A recent paper (circa 2020) by Osterwile et al., entitled "21 Years of Distributed Denial of Service: A Call to Action", states: "We are falling behind in the war against distributed denial-of-service attacks. Unless we act now, the future of the Internet could be at stake." And an earlier (circa 2007) paper by Peng et al. states: "a key challenge for the defense [against DDoS attacks] is how to discriminate legitimate requests for service from malicious access attempts." This challenge has not been met yet, which is, arguably, a major reason for the dire situation described by Osterwile et al. -- thirteen years later. This paper attempts to meet an approximation to this challenge, by enabling a a site to define the kind of messages that it considers important, and by introducing an unambiguous criterion of discrimination between messages that a given site considers important, and all other messages sent to it. Two anti-DDoS mechanisms based on this criterion are introduced in this paper. One of these relies on lightweight support by routers; and the other one does not.