Proactive control of distributed denial of service attacks with source router preferential dropping

Summary form only given. A distributed denial of service (DDoS) attack is an explicit attempt to interrupt an online service by generating a high volume of malicious traffic. These attacks consume all available network resources, thus rendering legitimate users unable to access the services. Most existing solutions propose to detect and drop attack packets at or near the destination network where the attack packets have already traversed the network and consumed considerable bandwidth. The aggregate traffic at the destination router may consist of hundreds of thousands of flows making it hard for the router to distinguish between legitimate and malicious packets. So, collateral damage is unavoidable. In this paper, we present a source router preferential dropping (SRPD) scheme to detect possible DDoS attacks and defeat them at their sources. SRPD monitors only high-rate outgoing flows at source networks and preferentially drops the packets belonging to these flows when it senses the existence of an attack. A simulation model is constructed and a number of simulation experiments have been conducted to evaluate the performance of the proposed scheme. Simulation results show that SRPD effectively controls DDoS attacks at their sources and reduces collateral damage to a minimum level.