Shared Based Rate Limiting: An ISP level Solution to Deal DDoS Attacks

Today distributed denial of service (DDoS) attacks is a major problem to the availability of Internet services. Several schemes have been proposed for countering DDoS attacks directed at an Internet server, but they suffer from a range of problems, some of them being impractical and others not being effective against these attacks. In this paper we propose a dynamic rate throttling technique that will greatly minimize the impact of attack. The basic mechanism is to have monitoring, rate limiting and filtering routers at various levels of ISPs. The participating routers, start there function after getting a signal from a server under attack. Our scheme is invoked only during attack times, and is able to mitigate attack traffic through dynamic filtering. Server tells edge routers to rate limit the traffic according to the share of traffic which is being passed through particular routers. The solution proposed is an ISP level solution which is practical enough to be implemented. We simulate the scheme in NS-2 in Linux system. We use an Internet type topology to test our scheme and web traffic was generated to evaluate the effectiveness of scheme. Our scheme shows good improvement over static router throttling techniques which were proposed earlier. Hence we believe that the scheme proposed in this paper seems to be a promising approach to prevent DDoS attacks