Countering denial-of-service attacks using congestion triggered packet sampling and filtering

Denial-of-service (DoS) attacks have received a great amount of attention in research communities and general public alike, due to recent, high-profile attacks against major Internet e-commerce sites. We present a countermeasure against such attacks, called the congestion-triggered packet sampling/packet filtering (CTPS/PF) architecture. With CTPS/PF, a packet sampling mechanism that is integrated with the congestion control mechanism at routers is used to detect DoS attacks, and packet filters are activated only when sampling results warrant action. One important concern in deploying any form of traffic analysis in the critical data-forwarding paths of the Internet is performance. Our sample processing algorithm takes into account the confidence indicators of statistic results to raise alarms with relatively small numbers of samples. Moreover, the per-sample processing complexity is only O(1). Our simulation study reveals that the CTPS/PF architecture is able to detect the presence of DoS attacks and take proper action within hundreds of milliseconds to tens of seconds. Moreover, the average sampling overhead during a congestion period is in the vicinity of 1 sample per second