Abstract
As more and more services are provided by servers via the Internet, Denial-of-Service (DoS) attacks pose an increasing threat to the Internet community. A DoS attack overloads the target server with a large volume of adverse requests, thereby rendering the server unavailable to well-behaved users. In this paper, we propose two algorithms that allow attack targets to dynamically filter their incoming traffic based on a distributed policy. The proposed algorithms defend the target against DoS and distributed DoS (DDoS) attacks and simultaneously ensure that it continues to serve well-behaved users. In a nutshell, a target can define a filtering policy which consists of a set of traffic classification rules and the corresponding amounts of traffic for each rule. A filtering algorithm is enforced by the ISP's routers when a target is being overloaded with traffic. The goal is to maximize the amount of filtered traffic forwarded to the target, according to the filtering policy, from the ISP. The first proposed algorithm is a collaborative algorithm which computes and delivers to the target the best possible traffic mix in polynomial time. The second algorithm is a distributed non-collaborative algorithm for which we prove a lower bound on the worst-case performance.
Original language | English |
---|---|
Pages (from-to) | 1073-1098 |
Number of pages | 26 |
Journal | International Journal of Foundations of Computer Science |
Volume | 22 |
Issue number | 5 |
DOIs | |
State | Published - 1 Aug 2011 |
Keywords
- Denial-of-Service attack
- dynamic filtering
- filtering policy
- internet router
- traffic classification
ASJC Scopus subject areas
- Computer Science (miscellaneous)