Proactively defeating distributed denial of service attacks

A distributed denial of service (DDoS) attack (2001) is an explicit attempt to interrupt an online service by generating a high volume of malicious traffic. These attacks consume all available network resources, thus rendering legitimate users unable to access the services. Most existing solutions propose to detect and drop attack packets at or near the destination network where the attack packets have already traversed the network and consumed considerable bandwidth. The aggregate traffic at the destination router may consist of hundreds of thousands of flows. It is hard for the router to distinguish between legitimate and malicious packets. So, collateral damage is unavoidable. In this paper, we present a source router preferential dropping (SRPD) scheme to detect and defeat DDoS attacks at their sources. SRPD monitors only high-rate outgoing flows at source networks and preferentially drops the packets belonging to these flows when it senses an existence of an attack. A simulation model is constructed to evaluate the performance of the proposed scheme. The results show that SRPD effectively controls DDoS attacks at their sources and reduces collateral damage to a minimum level.