An Efficient Defense against Distributed Denial-of-Service Attacks using Congestion Path Marking

The Distributed Denial-of-Service (DDoS) attack is a serious threat in the Internet, and an effective method is needed for distinguishing the attack traffic from the legitimate traffic. In DDoS attacks, the large volume of attack streams cause self-induced congestion or higher utilization of the links. Based on this observation, we propose the Congestion Path Marking (CPM) scheme to identify and drop the attack packets. In this proposed scheme, we store the link utilization information in the packet header so that suspicious attack packets can be distinguished. Each router along the path records its local congestion information, and this information is accumulated to represent the overall congestion level that a packet has experienced. To enable light-weight real-time processing, we employ a RED-like random packet dropping mechanism at the victim's egress router. Through simulations, we show that when the CPM scheme is employed, most of the attack packets in excess of the link capacity are dropped while less than 4% of the legitimate packets are dropped in typical scenarios. The simulation result also shows significantly improved TCP performance when CPM is utilized.