Summary: FlowCookies: Using Bandwidth Amplification to Defend Against
DDoS Flooding Attacks
Martin Casado, Pei Cao
University of Wisconsin, Madison
Distributed DenialofService flooding attacks against public web servers are increasingly common.
Websites without the ability to overprovision or rely on a CDN are often overwhelmed by such attacks.
Existing proposals to combat flooding within the network either require substantial changes to the Inter
net infrastructure (e.g., Capabilities [27, 26]), or the difficult task of identifying attack aggregates near
the core (e.g, Pushback ).
In this paper, we present an easy to deploy mechanism whereby a third party with high access to
bandwidth can protect a web server against bandwidth exhaustion from illegitimate traffic. With this
mechanism, all traffic to and from a web site is routed via a third party managed middlebox. The
middlebox provides two simple functions: (1) determine if a TCP packet sent to the webserver belongs
to a legitimate flow (i.e ., belongs to an already established connection, or originates from a nonspoofed
IP address), and, (2) filter traffic from IPs blacklisted by the protected server. We show that this dual