Proactive Protection Against DDoS and Worm Attacks

Jan 28, 2004

Abstract

In this talk, I will discuss recent advances in defending against massive DDoS and worm attacks. I will describe two techniques -- route-based and content-based distributed packet filtering -- aimed at effecting proactive protection in large-scale network systems using light-weight networking mechanisms as opposed to heavy-weight cryptographic methods. The key feature of the new approach, called distributed packet filtering, is that proactive protection -- attack packets are discarded before they can reach their victim -- is achieved under small partial deployment. A complementary feature, reactive protection, allows localization of the attack source. Scalable protection is enabled by exploiting the power-law connectivity of Internet topology.