Optimal Allocation of Filters against DDoS Attacks

Distributed denial-of-service (DDoS) attacks are a major problem in the Internet today. During a DDoS attack, a large number of compromised hosts send unwanted traffic to the victim, thus exhausting the resources of the victim and preventing it from serving its legitimate clients. One of the main mechanisms against DDoS is filtering, which allows routers to selectively block unwanted traffic. Given the magnitude of DDoS attacks and the high cost of filters in the routers today, the successful mitigation of a DDoS attack using filtering crucially depends on the efficient allocation of filtering resources. In this paper, we consider a single router with a limited number of available filters. We study how to optimally allocate filters to attack sources, or entire domains of attack sources, so as to maximize the amount of good traffic preserved, under a constraint on the number of filters. First, we look at the single-tier problem, where the collateral damage on legitimate traffic is high due to the filtering at the granularity of attack domains. Second, we look at the two-tier problem, where we have an additional constraint on the number of filters and filtering is performed at the granularity of attackers and/or domains. We formulate both problems as optimization problems, and we evaluate the optimal solution over a range of realistic attack-scenarios. Our results demonstrate that efficient filter allocation significantly improves the tradeoff between the number of filters used and the amount of legitimate traffic preserved.