COMMUNITY OF INTEREST BASED DDOS MITIGATION

1. Attack traffic blocked at access router Step 3: Mitigate Step 1: Build Communities of Interest classified traffic prioritised traffic hi prio COI classifier Prioritiser 3prios Bad COI Good COI med prio ISP-wide bad community of interest: known attackers Per-customer goodcommunity of interest: who do I want to communicate with? lo prio Policer Unknown Max 100 Mb/s Customer’s Good COI Bad COI ISP Intersection Good COI Customer traffic Bad COI COMMUNITY OF INTEREST BASED DDOS MITIGATION PATRICK VERKAIK University of California, San Diego pverkaik@cs.ucsd.edu ALEX C. SNOEREN University of California, San Diego snoeren@cs.ucsd.edu KOBUS VAN DER MERWE AT&T Labs-Research kobus@research.att.com OLIVER SPATSCHECK AT&T Labs-Research spatsch@research.att.com ISP ISP Legitimate traffic Successful Attack Successful Mitigation Step 2: Choose your weapon: a mitigation policy Attack traffic Bandwidth access link exceeded! Customer Policy assigns COI subsets to priorities 3prios prefer badcoi hi prio prefer goodcoi med prio lo prio slight increase vulnerability in only 5-7% attacks • Median attack of 29-44% customers • was completely mitigated! • Good performance results from good • predictability good+bad COI and/or • Small intersection good+bad COI. 38-53% attacks completely mitigated