In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection

Abstract

A recent trend to mitigate large-scale distributed denial-of-service (DDoS) attacks is in-network filtering, where victims can deploy traffic-filtering rules in networks other than their own. However, given multiple constraints, such as the number of rules a victim can afford to deploy, the set of rules that DDoS defense entities allow a victim to deploy, and the amount of collateral damage to limit, the selection of rules has a large impact on the efficacy of an in-network filtering solution. In this paper, we introduce a new, offer-based operational model for in-network DDoS defense and formulate the NP-hard rule selection problem for this model. We then design an algorithm that overcomes the fundamental limitations of the classical ACO framework and transform it with several key changes to make it applicable to the domain of in-network DDoS defense. Finally, we use a real-world-based Internet routing topology and two real-world DDoS traces, along with one synthetic trace that follows the attack distribution of the recent Mirai DDoS attack, to evaluate the efficacy and runtime of our algorithm against four other rule selection algorithms, and show our algorithm is near-optimal.