High Performance Traffic Shaping for DDoS Mitigation

Markus Goldstein, Matthias Reif, Armin Stahl, Thomas Breuel
Proceedings of the 2008 ACM CoNEXT conference, Madrid, Spain, ACM, SIGCOMM, 12/2008


Distributed Denial of Service (DDoS) attack mitigation systems usually generate a list of filter rules in order to block malicious traffic. In contrast to this binary decision we suggest to use traffic shaping whereas the bandwidth limit is defined by the probability of a source to be a legal user. As a proof of concept, we implemented a simple high performance Linux kernel module nf-HiShape which is able to shape thousands of source IP addresses at different bandwidth limits even under high packet rates. Our shaping algorithm is comparable to Random Early Detection (RED) applied on every single source IP range. The evaluation shows, that our kernel module can handle up to 50,000 IP ranges at nearly constant throughput whereas Linux tc already decreases throughput at about 200 ranges.




@inproceedings{ GOLD2008,
	Title = {High Performance Traffic Shaping for DDoS Mitigation},
	Author = {Markus Goldstein and Matthias Reif and Armin Stahl and Thomas Breuel},
	BookTitle = {Proceedings of the 2008 ACM CoNEXT conference},
	Month = {12},
	Year = {2008},
	Publisher = {ACM},
	Organization = {SIGCOMM}

Last modified:: 30.08.2016