Toward Adaptive DDoS-Filtering Rule Generation

Despite various distributed denial-of-service (DDoS) filtering solutions proposed and deployed throughout the Internet, DDoS attacks continue to evolve and successfully overwhelm the victims with DDoS traffic. While current DDoS solutions in general employ a fixed filtering granularity (e.g., IP address, 4-tuple flow, or service requests) with a specific goal (e.g., maximum coverage of DDoS traffic), in this paper we investigate adaptive DDoS filtering. We design and experiment algorithms that can generate and deploy DDoS-filtering rules that not only adapt to the most suitable and effective filtering granularity (e.g., IP source address and a port number vs. an individual IP address vs. IP prefixes at different lengths), but also adapt to the first priorities of victims (e.g., maximum coverage of DDoS traffic vs. minimum collateral damage from dropping legitimate traffic vs. minimum number of rules). We evaluated our approach through both large-scale simulations based on real-world DDoS attack traces and pilot studies. Our evaluations confirm that our algorithms can generate rules that adapt to every distinct filtering objective and achieve optimal results.