Abstract -- Distributed Denial of Service (DDoS) attack is a critical threat to the Internet. Currently, most ISPs merely rely on manual detection of DDoS attacks after which offline fine-grain traffic analysis is performed and new filtering rules are installed manually to the routers. The need of human intervention results in poor response time and fails to protect the victim before severe damages are realized. The expressiveness of existing filtering rules is also too limited and rigid when compared to the ever-evolving characteristics of the attacking packets. Recently, we have proposed a DDoS defense architecture that supports distributed detection and automated on-line attack characterization. In this paper, we will focus on the design and evaluation of the automated attack characterization, selective packet discarding and overload control portion of the proposed architecture. Our key idea is to prioritize packets based on a per-packet score which estimates the legitimacy of a packet given the attribute values it carries. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation. Once the score of a packet is computed, we perform score-based selective packet discarding where the dropping threshold is dynamically adjusted based on (1) the score distribution of recent incoming packets and (2) the current level of overload of the system. Keywords— System design, Simulations, Denial-of-Service Attack, Security, Overload Control, Selective Packet Discarding, Traffic characterization. I. MOTIVATION One of the major threats to cyber security is Distributed Denial-of-Service (DDoS) attack in which the victim network element(s) are bombarded with high volume of fictitious, attacking packets originated from a large number of machines. The aim of the attack is to overload the victim and render it incapable of performing normal transactions. DDoS attacks can be categorized into end-point attacks and infrastructure attacks. In an end-point attack, the victim can be an individual end-host or, more typically, an entire customer stub-network served by an Internet Service Provider (ISP). In an infrastructure attack, high volume of attacking packets are forced through a port of an ISP router to create one or more choke-points within the ISP infrastructure based on the knowledge of the routing pattern within the domain. Currently, most ISPs merely rely on manual detection of DDoS attacks. Once an Corresponding Authors: [email protected], [email protected] attack is reported, an offline fine-grain traffic analysis is performed by a subject-matter expert to identify and characterize the attacking packets. New filtering rules/ access control list are then constructed and installed manually to the routers according to the outcome of attack characterization. The need of human intervention results in poor response time and fails to protect the victim before severe damages are realized. This procedure also lacks adaptability and renders the system vulnerable towards fast-varying DDoS attacks. Further, the expressiveness of existing rule-based filtering is too limited as it requires an explicit specification of all types of packets to be discarded. As the difference between legitimate and attacking packets become increasingly subtle, the number of required filtering rules as well as the number of packet attributes included in each rule explode. Increase in rule-set complexity also poses serious scalability problems for high-speed implementation of rule-based filtering. Recently, the DDoS problem has attracted much attention from the research community. So far, the focus has been on the design of traffic marking and traceback protocols [Be01, Pa01, Sa01, Sn01] which enable downstream routers to determine and notify the upstream routers of the attacking packets. Most of the work emphasizes the backward compatibility of protocol support for traceback under the existing Internet infrastructure. Once the upstream sources of the attack have been identified, proposed pushback mechanisms [Io02, Ya02] are used to contain the damage of the attack. However, the effectiveness of such an approach is contingent upon the ability to extract a precise characterization of the attacking packets. Without such characterization, the legitimate traffic within the suspicious flows will be equally affected by the pushback mechanism. While there has been recent work by the data-mining research community to recognize intrusion patterns using offline machine-learning approaches [Le98, Ma99], these schemes are mostly offline-oriented. An exception to this trend is the D-WARD approach [Mi02], which does perform limited statistical traffic profiling at the edge of the networks to perform online detection of new types of DDoS attacks. Yoohwan Kim*, Wing Cheong Lau**, Mooi Choo Chuah** and Jonathan H. Chao*** PacketScore: Statistical-based Overload Control against Distributed Denial-of-Service Attacks ** Bell Labs, Lucent Technologies Holmdel, New Jersey * EECS Department Case Western Reserve University Cleveland, Ohio *** ECE Department Polytechnic University, Brooklyn, New YorkBy monitoring the nominal per-destination type traffic arrival and departure rate of TCP, UDP, ICMP packets, as well as any abnormal asymmetrical behavior of the two-way traffic at the edge router connecting to a stub-network, D-WARD aims at stopping DDoS attacks near their sources, i.e., the ingress routers. While such "source-side" tackling approach is attractive in terms of having less demanding operating-speed and scalability requirements, its viability hinges on the voluntary cooperation of majority of ingress network administrators internet-wide. In theory, one can circumvent this deployment problem by applying the D-WARD approach to the backbone network. However, in order to realize such a backbone approach, one must address the key scalability issues such as the large number of targets required to be protected and the high operating speed within the backbone network. This is indeed the emphasis of our proposed scheme. There are also a small set of commercial products [Mazu, Rive] which advertise limited support of statistics-based adaptive filtering techniques. However, most of these solutions do not fully automate packet differentiation or filter enforcement. Instead, they only recommend a set of binary filter rules to the network administrator to be installed in their