Distributed Denial of Service (DDoS) attack mitigation systems usually generate a list of filter rules in order to block malicious traffic. In contrast to this binary decision we suggest to use traffic shaping whereas the bandwidth limit is defined by the probability of a source to be a legal user. As a proof of concept, we implemented a simple high performance Linux kernel module nf-HiShape which is able to shape thousands of source IP addresses at different bandwidth limits even under high packet rates. Our shaping algorithm is comparable to Random Early Detection (RED) applied on every single source IP range. The evaluation shows, that our kernel module can handle up to 50,000 IP ranges at nearly constant throughput whereas Linux tc already decreases throughput at about 200 ranges.
[1]
Werner Almesberger,et al.
Linux Network Traffic Control -- Implementation Overview
,
1999
.
[2]
QUTdN QeO,et al.
Random early detection gateways for congestion avoidance
,
1993,
TNET.
[3]
H. Jonathan Chao,et al.
PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks
,
2006,
IEEE Transactions on Dependable and Secure Computing.
[4]
Anja Feldmann,et al.
Tradeoffs for packet classification
,
2000,
Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).