A flooding-based Distributed Denial of Service (DDoS) attack sends a large amount of unwanted traffic to a victim machine. Existing network-level congestion control mechanisms are inadequate in preventing service quality from deteriorating because of these attacks. We propose a distributed framework to defend against DDoS attacks. It has three major components: detection, trace back, and traffic control. We present the traffic control component in detail in this paper. A distance-based rate limit mechanism is proposed to allow the traffic control component at the victim end request the defense systems at the source end to set up rate limits on the edge routers of the attack source ends. This rate limit mechanism efficiently reduces attack traffic from being forwarded to the victim. We evaluate the DDoS defense framework using the NS2 platform. The results demonstrate that the framework can effectively control attack traffic to sustain quality of service for legitimate traffic compared to the pushback technique.
展开▼
