Abstract

Distributed denial-of-service attacks present a great threat to the Internet, and existing security mechanisms cannot detect or stop them successfully. The problem lies in the distributed nature of the attacks, which engages the power of a vast number of coordinated hosts. The response to the attack needs to be distributed also, but cooperation between administrative domains is hard to achieve, and security and authentication of participants incur high cost. We propose a DDoS defense system deployed at source-end networks that autonomously detects and stops the attacks originating from those networks. Attacks are detected by monitoring two-way traffic flows between the network and the rest of the Internet. Monitored flows are periodically compared with predefined models of normal traffic, and those flows classified as part of DDoS attack are rate-limited. We evaluate the performance of our system in a realistic testbed.

Date

December 19, 2025

Authors

Jelena Mirkovic, Peter Reiher, Gregory Prier

Journal

Proceeding of USENIX Security Symposium