A new border filtering scheme against DDoS attacks

There are two types of packet marking techniques in DDoS attacks defense. IP traceback reconstructs attack paths and entrance nodes, while path identification enables the victim identify and filter effectively malicious packets. In this paper, we propose an idea of organic combination of both that the upstream nodes identify and filter malicious packets. We specifically design a new packet marking and filtering scheme. Along the path, the nodes before the border routers mark packets with path identification scheme while the border nodes mark packets with IP traceback scheme. The victim can extract and reconstruct the relevant information from malicious arrived packets, and then notify the attack entrance nodes, i.e., the border routers, to filter malicious packets based on marking information. Large-scale simulation results based on actual Internet topology show that our defense scheme is better, and reduce effectively the impact of the attack on the victim and the upstream link inside autonomous system.