On Multi-Point, In-Network Filtering of Distributed Denial-of-Service Traffic

Research has shown that distributed denial-of-service (DDoS) attacks on the Internet could often be better handled by enlisting the in-network defense of multiple autonomous systems (ASes), rather than relying entirely on the victim's Internet Service Provider at the edge. Less noticed but important is the fact that an in-network defense can also remove DDoS traffic from the Internet early en route to the victim, thus decreasing the overall load on the Internet and reducing chances of link congestion. However, it is not well understood to what degree different in-network defense strategies can achieve such benefits. In this paper, we model the existing two main categories of in-network DDoS defense algorithms (PushBack, SourceEnd) and propose a new type of algorithm (StrategicPoints). In particular, we compare their effectiveness in minimizing the amount of DDoS traffic that the victim receives, their impact on reducing the DDoS traffic on the entire Internet, and their resiliency against intelligent adversaries and dynamic attacks. We detail how the comparison results vary according to parameters and provide our insights on the pros and cons of these three categories of in-network DDoS defense solutions.