TY - JOUR
T1 - Optimal Filter Assignment Policy Against Distributed Denial-of-Service Attack
AU - Biswas, Rajorshi
AU - Wu, Jie
N1 - Funding Information:
This research was supported in part by NSF Grants CNS 1824440, CNS 1828363, CNS 1757533, CNS 1618398, CNS 1651947, CNS 1564128, and ONR 401420.
Publisher Copyright:
© 2004-2012 IEEE.
PY - 2022
Y1 - 2022
N2 - A distributed denial-of-service (DDoS) attack is a cyber-attack in which attackers from different locations send out many requests to exhaust the capacity of a server. Current DDoS attack protection services filter out the DDoS attack packets in the middle of the path from the attacker to the servers. Some of the DDoS protection systems filter them out at the victim server. As a result, unnecessary attack traffic congests the network and wastes bandwidth. This can be minimized if we block them as early as possible. In this paper, we propose a DDoS attack protection system by using the filter router. The victim needs to wisely select and send filters to a subset of filter routers to minimize attack traffic and blockage of legitimate users (LUs). Many filters can easily minimize the attack traffic and blockage of LUs, but it is costly to the victim. So, we formulate two problems with different settings for selecting filter routers given a constraint on the number of filters. We propose dynamic programming solutions for both problems. Both problems consider the blockage of all attack traffic before it reaches the victim. We conduct extensive simulation to support our solutions.
AB - A distributed denial-of-service (DDoS) attack is a cyber-attack in which attackers from different locations send out many requests to exhaust the capacity of a server. Current DDoS attack protection services filter out the DDoS attack packets in the middle of the path from the attacker to the servers. Some of the DDoS protection systems filter them out at the victim server. As a result, unnecessary attack traffic congests the network and wastes bandwidth. This can be minimized if we block them as early as possible. In this paper, we propose a DDoS attack protection system by using the filter router. The victim needs to wisely select and send filters to a subset of filter routers to minimize attack traffic and blockage of legitimate users (LUs). Many filters can easily minimize the attack traffic and blockage of LUs, but it is costly to the victim. So, we formulate two problems with different settings for selecting filter routers given a constraint on the number of filters. We propose dynamic programming solutions for both problems. Both problems consider the blockage of all attack traffic before it reaches the victim. We conduct extensive simulation to support our solutions.
UR - http://www.scopus.com/inward/record.url?scp=85116857638&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85116857638&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2020.2987301
DO - 10.1109/TDSC.2020.2987301
M3 - Article
AN - SCOPUS:85116857638
SN - 1545-5971
VL - 19
SP - 339
EP - 352
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 1
ER -