Skip to Main Content
Our work focuses on the problem of proactively detecting and mitigating stealthy distributed denial of service (DDoS) attacks that employ the TCP protocol. Such attacks are likely to consist of large numbers of short-duration flows using a large number of source IP addresses that are possibly spoofed. In our approach, each router maintains a partition (possibly dynamic) of active TCP flows into aggregates. Each aggregate is probed to estimate the proportion of attack traffic that it contains. Packets belonging to aggregates that contain significant amounts of attack traffic may be subject to aggressive drop policies to prevent denial of service at the intended victim(s). The probing technique exploits the presumption that attack sources do not conform to standard TCP congestion control. A router estimates the attack traffic for each aggregate by dropping a small number of packets from that aggregate and monitoring the transient response of the arrival rate of the aggregate. We derive a simple analytical formula for the expected response of an aggregate whose constituent flows all conform to TCP congestion control. By comparing the probed response to that predicted by the formula, a router can estimate the proportion of traffic in the aggregate that is nonconforming and hence presumed to belong to an attack. This approach may be implemented in a purely distributed manner at individual routers. Furthermore, since it does not depend on interactions between routers, incremental deployment is possible.