Summary: Flow-Cookies: Using Bandwidth Amplification to Defend Against
DDoS Flooding Attacks
Martin Casado, Pei Cao
University of Wisconsin, Madison
Distributed Denial-of-Service flooding attacks against public web servers are increasingly common.
Websites without the ability to over-provision or rely on a CDN are often overwhelmed by such attacks.
Existing proposals to combat flooding within the network either require substantial changes to the Inter-
net infrastructure (e.g., Capabilities [27, 26]), or the difficult task of identifying attack aggregates near
the core (e.g, Push-back ).
In this paper, we present an easy to deploy mechanism whereby a third party with high access to
bandwidth can protect a web server against bandwidth exhaustion from illegitimate traffic. With this
mechanism, all traffic to and from a web site is routed via a third party managed middlebox. The
middlebox provides two simple functions: (1) determine if a TCP packet sent to the web-server belongs
to a legitimate flow (i.e ., belongs to an already established connection, or originates from a non-spoofed
IP address), and, (2) filter traffic from IPs blacklisted by the protected server. We show that this dual