On Filtering of DDoS Attacks Based on Source Address Prefixes

Abstract

Distributed denial of service (DDoS) attacks are a grave threat to Internet services and even to the network itself. Widely distributed "zombie" computers subverted by malicious hackers are used to orchestrate massive attacks. Despite significant research efforts and the existence of a wide range of commercial products defending against them, DDoS attacks are still a concern for most network operators and companies relying on the Internet. A particularly hard problem is distinguishing the packets that are part of the attack from legitimate traffic so that the attack can be filtered out without much collateral damage. In this paper we explore the use of ACL rules that distinguish the attack packets from the legitimate traffic based on prefixes derived from models of the historic distribution of legitimate packet source addresses. One advantage of this defense is that these ACL rules can be deployed in routers deep in the network where the attack isn't large enough to cause loss of legitimate traffic due to congestion. The most important disadvantage is that these ACL, rules can also cause collateral damage by discarding some legitimate traffic. We use simulations to study this damage. We examine the effect of various factors: magnitude of attacks, attack strategy, degree of network overprovisioning, number of ACL rules used, service targeted (web, email, DNS), and algorithm for generating ACL rules. Fol attacks 100 times larger than the link capacity provisioned to match peak traffic we applied SAPF to reduce the total traffic to within 1ink capacity and it discarded on average 54% of the legitimate traffic for a mail server and 67% for a web server. For smaller attacks of only 5 times the link capacity the collateral damage was 8% and 31% respectively.