Filter Assignment Policy Against Distributed Denial-of-Service Attack

摘要

A denial-of-service (DoS) attack is a cyber-attack in which the attacker sends out a huge number of requests to exhaust the capacity of a server, so that it can no longer serve incoming requests and DoS occurs. The most devastating distributed DoS attack is performed by malicious programs called bots. With the help of a special type of router called filter router, the victim can protect itself and reduce useless congestion in the network. A server can send out filters to filter routers for blocking attack traffic. The victim needs to select a subset of filter routers wisely to minimize attack traffic and blockage of legitimate users (LUs). In this paper, we formulate two problems for selecting filter routers given a constraint on the number of filters. The first problem considers the source-based filter and we provide greedy approximation solutions. The second problem considers the destination-based filter and how to minimize total amount of attack traffic and blocked LUs. We propose a dynamic programming solution for the second problem. We present simulation results comparing the proposed solutions with a naive approach. Our simulation results strengthen support for our solutions.