Defending against distributed denial-of-service attacks with an auction-based method

Article type: Research Article

Authors: Tian, Zhihong | Hu, Mingzeng | Li, Bin | Liu, Bo | Zhang, Hongli

Affiliations: Research Center of Computer Network and Information Security Technology, Harbin Institute of Technology, Harbin 150001, China | Computer Science Department, University of Houston, Houston, TX 77204, USA

Note: [] Corresponding author. E-mail: [email protected]

Abstract: Distributed denial of service (DDoS) is a major threat to the availability of Internet services. As one of the most difficult problems in network security, it has received considerable attention from the mass media and the research community. In this paper, we design an effective and practical countermeasure which allows a general-purpose TCP-based public server to sustain high availability even during severe DDoS attacks. A novel microeconomic framework based on Generalized Vickrey auction (GVA) is proposed. By adopting this mechanism, not only the availability of services is improved, but also the total utility of legitimate clients can be maximized. Initial simulations have shown that this mechanism is highly effective in preferentially dropping attacker traffic over legitimate client traffic, and the protected server can remain operational under various system loads and severely attacked conditions. The results indicate that it is a promising approach to countering DDoS attacks.

Keywords: Distributed denial-of-service attack, auction protocol, bandwidth allocation

Journal: Web Intelligence and Agent Systems: An international journal, vol. 4, no. 3, pp. 341-351, 2006