Optimal Filter Assignment Policy Against Distributed Denial-of-Service Attack

A distributed denial-of-service (DDoS) attack is a cyber-attack in which the attackers from different locations send out a huge number of requests to exhaust the capacity of a server. Current DDoS attack protection services filter out the DDoS attack packets in the middle of the path from the attacker to the servers. Some of the DDoS protection systems filter out them at the victim server. As a result, unnecessary attack traffic congests the network and wastes bandwidth which can be minimized if we block them as early as possible. In this paper, we propose a DDoS attack protection system by using the filter router. The victim needs to wisely select and send filters to a subset of filter routers to minimize attack traffic and blockage of legitimate users (LUs). Many filters can minimize the attack traffic and blockage of LUs easily, but it is costly to the victim. So, we formulate two problems with different settings for selecting filter routers given a constraint on the number of filters. We propose a dynamic programming solution for both problems. Both problems consider the blockage of all attack traffic before it reaches the victim. We conduct extensive simulation to support our solutions.