AS-Based Accountability as a Cost-Effective DDoS Defense

HotBots -- First Workshop on Hot Topics in Understanding Botnets |

Published by USENIX

Defenses against botnet-based distributed denial-of-service (DDoS) attacks must demonstrate that in addition to being technically feasible, they are also economically viable, particularly when compared with the two most widely deployed defenses–simple massive overprovisioning of resources to absorb and handle DDoS traffic, and “scrubbing” of incoming traffic by the victim’s ISP. We argue that the key to cost-effective handling of DDoS attacks on a network such as the Internet is accountability, meaning that the sources of all traffic can be accurately and reliably identified, and receivers can effectively block traffic to them from any source.

We propose a simple approach to directly providing accountability within a group of ASes. It combines strict ingress filtering on all edge traffic with an AS-based infrastructure that allows hosts to request that traffic to them from specific other hosts be blocked at the source. We also propose using the previously proposed “evil bit” in IP headers to allow a group of ASes that implement accountability to collectively reduce the impact of DDoS attacks originating outside their portion of the Internet. Finally, we present evidence for the economic competitiveness of our approach, compared with the current default approaches of massive overprovisioning and ISP scrubbing.