1. A Complete Defense Against DDoS Attacks Using Router Throttle Presented By: Abu Sayeed Saifullah

2. Problem Statement  The baseline algorithm is not fair because it penalizes all routers equally, irrespective of whether they are greedy or well behaving.  Fair throttle algorithm installs at each router in R(k) a uniform leaky bucket rate  The algorithm may then continue in the while loop that iteratively adjusts to an appropriate value.  The additive increase/multiplicative decrease iterative process aims to keep the server load in [L,U]

3. To S Router Throttle Aggressive flow Throttle for S’ To S’ Throttle for S Securely installed by S Deployment router C: Each victim has a leaky bucket for rate limit. Small memory and computationoverhead!

4. Example (L=18, H=22) Round 1 Server 18.23 6.65 14.1 0.01 1.40 0.22 17.73 0.61 0.95 10 31.78 24.88 15.51 17.73 0.22 0.61 0.95 59.9 Initially, r S =(L+U)/4=10 Overloaded! Still Overloaded!

5. Example (L=18, H=22) Round 2 Server 18.23 6.65 14.1 0.01 1.40 0.22 17.73 0.61 0.95 5 5 5 16.78 24.88 15.51 17.73 0.22 0.61 0.95 59.9 r S = r S /2=10/2=5 Underloaded!

6. Example (L=18, H=22) Round 3 Server 18.23 6.65 14.1 0.01 1.40 0.22 17.73 0.61 0.95 6 6 6 19.78 24.88 15.51 17.73 0.22 0.61 0.95 59.9 δ=1 r S = r S +δ =6 Converged! K-Max Min Fair!

7. Problems in Fair Router Throttle  What about the initial attack? There is no fair answer!  Assumes that all routers are honest (Strong assumption) How can we be so optimistic?  Too much global knowledge  Server has to maintain R(k) list  Server has to multi/broadcast: server keeps working beyond its own works  Some scenarios for slower convergence  On a root-leaf path only one router has to do all works of throttling  Same bucket size for heavy/light routers

8. Proposed Solution  Initially underestimate the server: saves from initial attack  Increase the rate based on feedback (back-pressure from upper levels): tries to converge  Weighted bucket size  Server load L max ±D instead of [L min, L max ]  No need to believe the routers  More localized  more distributed fashion  Communication restricted between neighbors  No global computation  Throttling works are split into routers  Server does not have to multi/broadcast

9. Proposed Algorithm  Construct a distributed BFS tree rooted at S A New Distributed Algorithm to Find Breadth First Search Tree; IEEE Trans. On Information Theory, 33(3), May 1987 A Self-Stabilizing Algorithm For Constructing Breadth First Trees; Information Processing Letters, 41(2) Feb 1992  Compute number of leaf nodes in each subtree (bottom up manner) lc(u)=∑ lc(x), x \in Child(u)  Initially, capacity for each router u, C(u)=|Child(u)|*(min capacity or flow of children)  Feedback from server S to immediate child routers: feedback= (L max -L current )/lc(S)  Feedback propagates downward  Capacity update: C(u)=C(u)+feedback*lc(u)  Flow update  Continue until server load is: L max ±D

10. An illustration of the Algorithm 1 1 1 1 1 1 1 2 3 4 1 7 5 1 6 BFS Tree Count leaf nodes in each subtree lc(u)= ∑lc(x), x \in Child(u)

11. An illustration of the Algorithm(contd..) Round 1 40 3 5 5 50 6:6 2 10:10 20:20 6:6 26:12 4:4 5:5 8:8 Initially Feedback=0; Round 1 Capacity:Flow Initially, capacity for each router u, C(u)=|Child(u)|*(min capacity or flow of children) L max : 26 D=3

12. An illustration of the Algorithm(contd..) Round 2 40 3 5 5 50 6:6 2 10:6 16:10 28:20 8:6 26:12 14:4 7:5 20:8 feedback= (L max -L current )/lc(S) =(26-12)/7=2; Capacity Update Downward: C(u)=C(u)+feedba ck*lc(u)

13. An illustration of the Algorithm(contd..) Round 2 40 3 5 5 50 6:6 2 10:10 16:15 28:28 8:6 26:25 14:14 7:5 20:19 Flow Update: Try to saturate parent router’s leaky bucket Continue D=3 Converged!

14. Conclusion  Improved!  BFS is computation overhead  Weighted bucket size may not be good all the time  Faster/slower convergence subject to further study