RateGuard: A Robust Distributed Denial of Service (DDoS) Defense System

摘要

One of the major threats to cyber security is the Distributed Denial-of-Service (DDoS) attack. In this paper, we focus on three kinds of sophisticated DDoS attacks that seriously cripple the current DDoS defense systems and have not been solved yet. In Fast Adaptive Attacks (FAAs), attackers adaptively generate attacking traffic based on the feedback from a victim in Round Trip Time (RTT). Almost all proposed rules-based filtering schemes cannot effectively defend against FAAs, since they need a relatively long time (compared to RTT) to update filtering rules. In Adaptive Attacks with statistical filtering rules Scanning (AAS), attackers circumvent the defense system by discovering the statistical filtering rules of the defense system and then generating flooding traffic to mimic nominal traffic. In Low-Rate TCP Attacks (LRAs), attackers send periodic attack pulses to overflow a router's buffer and force the legitimate TCP flow to a low throughput while staying under the radar with a very low average rate. In this paper, we propose a Leaky-Bucket (LB) based highly robust DDoS defense system, called RateGuard. It can react to FAAs and LRAs by rate-limiting excessive traffic in real-time according to the victim's nominal traffic profile. Moreover, by associating an LB with each joint attribute value, the huge space required for possible joint attribute values makes it almost impossible for attackers to scan the victim's nominal traffic profiles and, thus, makes it highly robust to cope with AAS and other sophisticated attacks.