A distributed denial-of-service (DDoS) attack can flood a victim site withmalicious traffic, causing service disruption or even complete failure.Public-access sites like amazon or ebay are particularly vulnerable to suchattacks, because they have no way of a priori blocking unauthorized traffic. We present Active Internet Traffic Filtering (AITF), a mechanism thatprotects public-access sites from highly distributed attacks by causingundesired traffic to be blocked as close as possible to its sources. Weidentify filters as a scarce resource and show that AITF protects a significantamount of the victim's bandwidth, while requiring from each participatingrouter a number of filters that can be accommodated by today's routers. AITF isincrementally deployable, because it offers a substantial benefit even to thefirst sites that deploy it.
展开▼
