Skip to Main Content
Our proposed scheme seeks to defend flooding distributed denial-of-service (DDoS) attacks in the Internet. An easy, yet very disruptive, way to cause unfairness to the legitimate users is to deplete the network bandwidth by sending high rate unresponsive flows from multiple sources. The network congestion created by such malicious flows causes most legitimate packets to be dropped at routers without reaching their destinations. Congestion control in IP networks is typically done at each router through queue management, and the network is entirely dependent on the end hosts to react to congestion. However, when the network is under attacks which use packet floods, existing queue management algorithms reveal significant shortcomings in protecting legitimate flows. In this paper, we propose a novel scheme for congestion control in IP networks to defend against DDoS attacks. Our approach is a time-window based filtering mechanism, processed before a queue management policy is applied. Setting the window size properly, and dropping packets reaching into the next window, can catch the non-responsive nature of misbehaving flows. The performance of our proposed scheme is demonstrated through extensive simulations with the NS2 simulator, using a set of simulated traffic generated based on IP traces reported in http://www.nlnar.org.