Resisting network DDoS attacks by packet asymmetry path marking

A novel packet marking scheme is proposed to defend against network or bandwidth DDoS attacks, especially where malicious packets do not target the victim directly. A recent study shows that packet-level symmetry exists in legitimate Internet traffic while malicious flooding traffic often exhibits packet asymmetry. Our scheme utilizes the packet asymmetry to differentiate malicious and legitimate traffic. When a packet to a destination host is transmitted from a router, a packet asymmetry score, the ratio of transmitted to received packets of the destination host over the last interval, is calculated and recorded into the packet's header additively. Malicious packets should carry higher scores because of the absence of reverse packets. When packets with packet asymmetry scores arrive at a downstream router, where some packets are dropped because of congestion, the router should drop packets with higher scores preferentially. Simulation results show the scheme is effective to defend against DDoS attacks targeting network resources.