Abstract:
Diversion & Sieving Techniques to Defeat DDoS
Network
engineers have been known to use diversion to blackhole
DDoS attacks. This technique may divert and blackhole legitimate traffic. We present a method that
provides availability under DDoS attacks by combining
different diversion methods with a mechanism that sieves the "bad"
packets and forwards the "good" packets to the intended victim. The
method minimizes demand on router resources and does not introduce additional
elements on the normal data path.
The
diversion method allows a sieving mechanism to process only the victims'
traffic. The system is employable on a provider's backbone, preferably at the
peering points. Furthermore, since diversion is done on demand for different
targets at different periods of time, the solution can be shared by a large
number of potential victims and can protect any element in the provider's backbone.
This method can also be applied on egress traffic, thus enabling a service
provider to clean attack traffic generated within its own network. Various
alternative methods of transparently diverting a victim's traffic and returning
its legitimate traffic will be presented.
Presentation slides (NANOG 2001)