Off-the-wall: Lightweight Distributed Filtering to Mitigate Distributed Denial of Service Attacks

Report, 2011

Distributed Denial of Service (DDoS) attacks are hard to deal with, due to the fact that it is difficult to distinguish legitimate traffic from malicious traffic, especially since the latter is from distributed sources. To accurately filter malicious traffic one needs (strong but costly) packet authentication primitives which increase the design complexity and typically affect throughput. It is a challenge to keep a balance between throughput and security/protection of the network core and end resources. In this paper, we propose SIEVE, a lightweight distributed filtering protocol/method. Depending on the attacker's ability, SIEVE can provide a standalone filter for moderate adversary models and a complementary filter which can enhance the performance of strong and more complex methods for stronger adversary models. SIEVE uses an overlay network to form a distributed ``sieve'' to filter malicious traffic aimed at servers. Overlay nodes use \emph{lightweight authenticators} (e.g. source IP addresses) to filter packets. SIEVE provides also a simple solution to protect connection setup procedures between legitimate clients and protected servers, which provides guaranteed probability for the legitimate packets to receive service. We present analytical and simulation-based studies of the filter efficiency and overhead of SIEVE and give a cost guideline on configuring the distributed filter based on the customized demand, thus balancing trade-offs.