Skip to Main Content
We present a hardware solution that can reliably block most of the malicious TCP traffic at the edge routers while passing the legitimate TCP traffic during a distributed denial-of-service (DDoS) attack on the Internet. By allocating bandwidths separately for TCP, the TCP portion of the bandwidth can be protected. In a simulation study, the filter successfully blocked 99.9% of the attack traffic while legitimate traffic showed nearly identical performance as in the non-attacked condition. This filtering is transparent to the hosts or routers and a filtering device can be easily attached to router ports.