Advanced Search

Browse by Discipline

Scientific Societies

E-print Alerts

Add E-prints

E-print Network

  Advanced Search  

Flow-Cookies: Using Bandwidth Amplification to Defend Against DDoS Flooding Attacks

Summary: Flow-Cookies: Using Bandwidth Amplification to Defend Against
DDoS Flooding Attacks
Martin Casado, Pei Cao
Stanford University
Aditya Akella
University of Wisconsin, Madison
Neils Provos
Google, Inc.
Distributed Denial-of-Service flooding attacks against public web servers are increasingly common.
Websites without the ability to over-provision or rely on a CDN are often overwhelmed by such attacks.
Existing proposals to combat flooding within the network either require substantial changes to the Inter-
net infrastructure (e.g., Capabilities [27, 26]), or the difficult task of identifying attack aggregates near
the core (e.g, Push-back [18]).
In this paper, we present an easy to deploy mechanism whereby a third party with high access to
bandwidth can protect a web server against bandwidth exhaustion from illegitimate traffic. With this
mechanism, all traffic to and from a web site is routed via a third party managed middlebox. The
middlebox provides two simple functions: (1) determine if a TCP packet sent to the web-server belongs
to a legitimate flow (i.e ., belongs to an already established connection, or originates from a non-spoofed
IP address), and, (2) filter traffic from IPs blacklisted by the protected server. We show that this dual


Source: Akella, Aditya - Department of Computer Sciences, University of Wisconsin at Madison
Pratt, Vaughan - Department of Computer Science, Stanford University


Collections: Computer Technologies and Information Sciences