Traffic Control Component

The purpose of the rate limit is to protect the victim-end edge network from the situation that aggregated incoming traffic exceeds its capacity [26]. In the scenario of a DDoS attack, the purpose of a rate limit is not only to lower the aggregated traffic under the bottleneck link’s bandwidth, but also to decrease the percentage that attack traffic represents of the whole of aggregated traffic. To control attack traffic, we should set up the rate limit on the routers which are close to the attackers. In the framework, the distance-based traffic separation DDoS detection technique cooperates with the FIT technique to find the source-end edge routers. We propose a distance-based Max-Min fair share rate limit algorithm to allocate the bandwidth among all incoming traffic from the routers which are forwarding attack traffic. It is

CHAPTER 4. DISTANCE-BASED DEFENSE FRAMEWORK 58

not fair to penalize all routers at a distance equally by setting the same rate limit for them. Therefore, the algorithm differentiates rate limits based on the packet drop histories of individual routers. In the algorithm, the drop rate will affect the final the value of rate limit for each router. The pseudo code of the algorithm is illustrated in Listing 4.3. Lines 4 to 10 of the algorithm in Listing 1 check if current traffic volume is greater than load limit of the bottleneck link. When the traffic volume is greater than load limit and an attack is detected, Lines 6-8 exponentially decrement the rate limits. When the traffic volume is found to be less than the load limit of the bottleneck link, Lines 13-15 remove all existing rate limits if the change in traffic volume is less than a constant small value ε. At this moment, we consider that the attack has finished. Therefore, we remove the rate limits to allow legitimate traffic fully utilize network resources. Lines 18-20 linearly increase the rate limits when change in traffic volume exceeds ε but the traffic volume is still less than load limit of the bottleneck link. Line 23 is a operation to keep the current traffic rate into variable Rprv.

Table 4.3: Symbols used in the rate limit algorithm Parameters Description

d Distance value

Us Load limit

RCv Current traffic rate at the victim end

RCi Current traffic rate at router i

RLi Rate limit for router i

Rprv Previous traffic rate at victim end

Rateinc Increase rate factor

hfi Drop rate for the router i

fdec Decrease rate factor

CHAPTER 4. DISTANCE-BASED DEFENSE FRAMEWORK 59

Listing 4.3 The pseudo-code of distance-based rate limit

1 While(1){

2 Send current rate limit information to source-end routers; 3 Monitor current traffic rate at the victim end;

4 If(RCv> Us){

5 If(An attack is detected originating from distance d){ 6 For(each router i at distance d){

7 RLi = RCi∗ fdec∗ (1 − hfi); 8 } 9 } 10 } 11 Else 12 { 13 If((RCv− Rprv) < ε){

14 Remove all rate limits; 15 }

16 Else 17 {

18 For(each router i which has rate limits){ 19 RLi= RCi+ Rateinc∗ (1 − hfi); 20 } 21 } 22 } 23 Rprv= RCv; 24 }

Basically, the distance-based rate limit algorithm includes two phases during the defeat of a DDoS attack. At the early stage of an attack (the first phase) the al- gorithm exponentially decreases the traffic sending rate from the source-end routers. The sending rates of the source-end routers are restricted according to the following formula.

RLi = RCi ∗ fdec∗ (1 − hfi). (4.10)

CHAPTER 4. DISTANCE-BASED DEFENSE FRAMEWORK 60

parameter which reflects the drop rate of traffic at a source-end router i. We can calculate the hfi for the router i based on the following equation.

hfi =

Droppedi

Senti+ Droppedi

; (4.11)

Senti is the byte amount of flow traffic forwarded to the victim from router i, and

Droppedi is the byte amount of flow traffic dropped from router i. According to the

above equation for the calculation of rate limits, more aggressive attack traffic can be penalized by a relatively lower rate limit value because the hfi of the attack traffic is

higher. In general, fast exponential decrease of the sending rates attempts to quickly lessen the impact of an attack on the victim.

The second phase is called recovery phase. It happens after the victim thinks that the attack is at an end. However, it may not be true because it is highly possible that a DDoS attack itself may happen periodically. Like IP traffic control, the speed of recovery is slow at the early stage of the recovery phase. The sending rate for router

i is increased linearly as follows:

RLi = RCi+ Rateinc∗ (1 − hfi). (4.12)

Here, Rateinc is a configuration parameter and hfi is as defined above. Moreover,

the drop rate also affects the speed of recovery too. After detecting that the traffic is stable enough at the victim end, the last step of the recovery phase will remove rate limit at all source-end routers. This lets routers serve legitimate traffic fully.

CHAPTER 4. DISTANCE-BASED DEFENSE FRAMEWORK 61

4.5

Summary

We introduce our novel distance-based distributed DDoS defense framework. In the framework, both source-end and victim-end defense systems cooperate with each other in order to detect and respond to DDoS attacks effectively. At the victim end, we propose two distance-based DDoS detection techniques to detect an attack by observing anomalous changes of average distance values and separated traffic rates. After the attack has been detected, the traceback component at the victim-end defense system analyzes the attack traffic to find the addresses of remote routers forwarding attack traffic. An alert message will be sent to the source-end defense systems which are in charge of these routers. Instead of traditional traffic filtering, we propose distance-based rate limiting to control attack traffic from these source-end routers.

In the next chapter, we evaluate the framework on the NS2 simulator by using six proposed metrics on three layers. Moreover, we demonstrate that the framework improves on the pushback technique when it comes to defeating DDoS attacks.