Neighbor Stranger Discrimination: A New Defense Mechanism Against Internet DDoS Attacks

Distributed Denial of Service (DDoS) attacks have become a real threat to the security of the Internet. Defending against DDoS is a challenging job, due to the use of IP spoofing and the destination-based routing of the Internet. Many solutions have been proposed, but none is able to completely stop an intense attack. In this paper we propose a new defense mechanism, Neighbor Stranger Discrimination (NSD), which is capable of stopping or significantly reducing the intensity of a DDoS attack. NSD can be incrementally deployed and satisfactory results are achieved even when it is implemented on a small percentage, 10% to 20%, of the Internet routers. The overhead of installing NSD on a certain router is low in terms of additional storage and processing load. Unlike other defense strategies, NSD produces no false positives while reducing false negatives. Being router-based, NSD also stops reflected DDoS attacks (RDDoS) since it discards the spoofed packets before they reach the reflectors.