OverCourt: DDoS mitigation through credit-based traffic segregation and path migration

Distributed Denial of Service (DDoS) attacks have become one of the most serious threats to the Internet. To mitigate DDoS attacks, much progress has been made in developing currency-based solutions, where a sender is required to spend resources such as computational cost, bandwidth, prior knowledge, and human actions to purchase her legitimacy before sending packets. In this paper, we propose an innovative overlay-based DDoS mitigation architecture by introducing a credit-based accounting mechanism, where a sender can send packets based on her credit points earned by her legitimate communication behaviors instead of expending resources in advance. Since the credit points given to a sender is designed to be measured based on her history of communication patterns, a well-behaving sender can gain her credit points while an ill-behaving one will lose her credit points. We propose an architecture of such a credit-based system, named OverCourt, where a well-behaving client may dynamically migrate to a protected channel when her credit points exceed a threshold while an ill-behaving client will be blocked after her credit points have been exhausted. The analysis and simulation results show that OverCourt can mitigate DDoS attacks under various DDoS attack scenarios.