Distributed denial of service (DDoS) attack was defended by distributed filtering. Distributed defense was restricted inside autonomous system (AS), which was a suitable bound for defense. Both bandwidth and processing capability of victim were considered. The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine (SVM)-based multi-resource max-min fairness (SMMF) algorithm. Then SMMF achieved multi-resource max-min fairness and was much effective. Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail. A realization of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.
[1] WAN K K K, CHANG R K C. Engineering of a global defense infrastructure for ddos attacks [C] // Proceedings of 10th IEEE International Conference on Networks. Pairs: IEEE, 2002: 419427.
[2] MAHAJAN R, BELLOVIN S. M, FLOYD S, et al. Controlling high bandwidth aggregates in the network [J]. Computer Communication Review, 2002, 32(3): 6273.
[3] KEROMYTIS A D, MISRA V, RUBENSTEIN D. SOS: secure overlay services [J]. Computer Communication Review, 2002, 32(4): 6172.
[4] YAAR A, PERRIG A, SONG D. Pi: a path identification mechanism to defend against ddos attacks [C] // Proceedings of Symposium on Security and Privacy. San Diego: IEEE, 2003: 93107.
[5] YANG X W, WETHERALL D, ANDERSON T. A DoS limiting network architecture [J]. Computer Communication Review, 2005, 35(4): 241252.
[6] DUAN Z, YUAN X, CHANDRASHEKAR J. Constructing inter-domain packet filters to control IP spoofing based on BGP updates [C] // Proceedings of IEEE Infocom. Barcelona: IEEE, 2006: 112.
[7] PARK K, LEE H. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets [J]. Computer Communication Review, 2001, 31(4): 1526.
[8] CHEN S, SONG Q. Perimeter-based defense against high bandwidth DDoS attacks [J]. IEEE Transactions on Parallel and Distributed Systems, 2005, 16(6): 526537.
[9] YAU D K Y, LUI J C S. Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles [J]. IEEE/ACM Transactions on Networking, 2005, 13(1): 2942.
[10] JAFFE J. Bottleneck flow control [J]. IEEE Transactions on Communications, 1981, 29(7): 954962.
[11] KELLY F. Charging and rate control for elastic traffic [J]. Europen Transactions on Telecommunications, 1997, 8(1): 3337.
[12] CAO Z, ZEGURA E W. Utility max-min: an application-oriented bandwidth allocation scheme [C] // Proceedings of IEEE Infocom. New York: IEEE, 1999: 793801.
[13] ZHOU Y, SETHU H. On achieving fairness in the joint allocation of processing and bandwidth resources: principles and algorithms [J]. IEEE/ACM Transactions on Networking, 2005, 13(4): 10541067.
[14] HSU C W, LIN C J. A comparison of methods for multi-class support vector machines [J]. IEEE Transactions on Neural Networks, 2002, 13(2): 415425.
[15] PAPPU P, WOLF T. Scheduling processing resources in programmable routers [C] // Proceedings of IEEE Infocom. New York: IEEE, 2002: 104112.
