Distributed packet pairing for reflector based DDoS attack mitigation

Reflector based DDoS attacks are feasible in variety of request/reply based protocols including TCP, UDP, ICMP, and DNS. To mitigate these attacks, we advocate the concept of victim assistance and use it in the context of a novel scheme called pairing based filtering (PF). The main idea of the PF scheme is to validate incoming reply packets by pairing them, in a distributed manner, with the corresponding request packets. This pairing is performed at the edge routers of the ISP perimeter that contains the victim rather than at the edge router to which the victim is directly connected, leading to protection from bandwidth exhaustion attacks in addition to the protection from victim’s resource exhaustion attacks. We evaluate the proposed scheme through analytical studies using two performance metrics, namely, the probability of allowing an attack packet into the ISP network, and the probability of filtering a legitimate packet. Our analysis shows that the proposed scheme offers a high filtering rate for attack traffic, while causing negligible collateral damage to legitimate traffic.