The Internet has become a societally transformative technology. Because the design of the Internet allows any Internet-connected device to send any amount of traffic to any other Internet-connected device, attackers can send large volumes of traffic to a victim, overwhelming the ability of the network to carry legitimate traffic to the victim. When many different devices send such attack traffic in a coordinated manner, the attack is called a Distributed Denial-of-Service (DDoS) attack, and is difficult to filter in the current Internet architecture. This research investigates a new architecture for filtering DDoS attacks that is efficient, economical, and readily deployable. The proposed architecture aims to alleviate the burden of maintaining an Internet service in the presence of DDoS attacks, and to improve the availability of Internet services. The proposed architecture combines a filtering functionality deployed in the cloud with a network state estimation algorithm performed with the cooperation of the cloud and the victim server. Traffic is redirected to the cloud server using DNS; the cloud server then polices each sender's traffic according to a receiver-selected fair sharing policy. The fair sharing algorithm uses the bandwidth estimate derived from the network state estimator. The network state estimator uses capability feedback from the receiver to estimate the available bandwidth for fair-sharing. This research expands the proposed architecture to make it more secure, more effective at catching obvious Denial-of-Service attacks, and more robust against powerful adversaries. The research will also provide a more through evaluation of the proposed architecture. The work will advance the understanding of how incrementally-deployable approaches, deployed based on economic incentives rather than relying on altruistic deployments, can also provide strong properties. Specifically, it aims to develop and evaluate a collection of methods that when fully deployed would provide the same strengths as an approach like SIBRA, yet be incrementally deployable, providing benefits as each Internet entity deploys each individual mechanism.
SaTC: CORE: Small: Hybrid Capability-Enforcement for Endpoint-Driven Traffic Control