Summary: Flow­Cookies: Using Bandwidth Amplification to Defend Against
DDoS Flooding Attacks
Martin Casado, Pei Cao
Stanford University
Aditya Akella
University of Wisconsin, Madison
Neils Provos
Google, Inc.
Abstract
Distributed Denial­of­Service flooding attacks against public web servers are increasingly common.
Websites without the ability to over­provision or rely on a CDN are often overwhelmed by such attacks.
Existing proposals to combat flooding within the network either require substantial changes to the Inter­
net infrastructure (e.g., Capabilities [27, 26]), or the difficult task of identifying attack aggregates near
the core (e.g, Push­back [18]).
In this paper, we present an easy to deploy mechanism whereby a third party with high access to
bandwidth can protect a web server against bandwidth exhaustion from illegitimate traffic. With this
mechanism, all traffic to and from a web site is routed via a third party managed middlebox. The
middlebox provides two simple functions: (1) determine if a TCP packet sent to the web­server belongs
to a legitimate flow (i.e ., belongs to an already established connection, or originates from a non­spoofed
IP address), and, (2) filter traffic from IPs blacklisted by the protected server. We show that this dual

Source: Akella, Aditya - Department of Computer Sciences, University of Wisconsin at Madison

Collections: Computer Technologies and Information Sciences