SHARED BASED RATE LIMITING : AN INTEGRATED APPROACH TO MITIGATE DDoS ATTACKS

Abstract

Today Distributed Denial of Service (DDoS) attacks are a major problem to the availability of Internet Services. Perpetration requires little effort on the attacker's side, since a vast number of insecure machines provide fertile ground for attack zombies and automated scripts for exploitation and attack can easily be downloaded and deployed. Prevention of the attack or the response and traceback of perpetrators is extremely difficult due to a large number of attacking machines. Several schemes have been proposed for countering DDoS attacks directed at an Internet Server, but they suffer from a range of problems, some of them being impractical and others not being effective against these attacks. This dissertation explores the problem of DDoS defense using Shared Based Rate Limiting Technique. The basic mechanism is to have monitoring, rate limiting and filtering routers at various levels of ISPs. This scheme is invoked only during attack times, and is able to mitigate attack traffic through filtering of packets. The participating routers, start there function after getting a signal from a server under attack. Server tells edge routers to rate limit the traffic according to the traffic share routers are contributing in total traffic. The solution proposed in this thesis is an ISP level solution which is practical enough to be implemented. Simulations are carried on Network Simulator 2, an object oriented and TCL based simulator. The result shows that Shared Based Rate Limiting approach gives better results and improvement over static router throttling technique which was proposed earlier.