A Novel Rate Limit Algorithm Against Meek DDoS Attacks

  • Yinan Jing
  • Xueping Wang
  • Xiaochun Xiao
  • Gendu Zhang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4158)


Distributed denial-of-service attack is one of major threats to Internet today. Rate limit algorithm with max-min fairness is an effective countermeasure to defeat flooding-style DDoS attacks under the assumption that attackers are more aggressive than legitimate users. However, under a “meek” DDoS attack where such an assumption is no longer valid, it will fail to protect legitimate traffic effectively. In order to improve the survival ratio of legitimate packets, an IP traceback based rate limit algorithm is proposed. Simulation results show that it could not only mitigate the DDoS attack effect, but also improve the throughput of legitimate traffic even under a meek attack.


Rate Limit Bandwidth Allocation Survival Ratio Legitimate User Bottleneck Link 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Moore, D., Voelker, G., Savage, S.: Inferring Internet denial-of-service activity. In: 10th ACM USENIX Security Symposium, Washington USA (2002)Google Scholar
  2. 2.
    CERT Coordination Center. Trends in Denial of Service Attack Technology (2001) Google Scholar
  3. 3.
    Mirkovic, J., Reiher, P.: A Taxonomy of DDoS Attacks and Defense Mechanisms. ACM SIGCOMM Computer Communications Review 34(2), 39–54 (2004)CrossRefGoogle Scholar
  4. 4.
    Mahajan, R., Bellovin, S., Floyd, S., Paxson, V., Shenker, S.: Controlling high bandwidth aggregates in the network. ACM Computer Communications Review 32(3) (2002)Google Scholar
  5. 5.
    Yau, D.K., Lui, J.C., Liang, F.: Defending Against Distributed Denial-of-Service Attacks with Max-min Fair Server-centric Router Throttles. In: Proc. of IEEE IWQoS (2002)Google Scholar
  6. 6.
    Liang, F., Yau, D.: Using Adaptive Router Throttles Against Distributed Denial-of-Service Attacks. Journal of Software 13(7), 1220–1227 (2002)Google Scholar
  7. 7.
    Yau, D.K., Lui, J.C., Liang, F., Yam, Y.: Defending Against Distributed Denial-of-Service Attacks with Max-min Fair Server-centric Router Throttles. ACM Transaction on Networking 13(1), 29–42 (2005)CrossRefGoogle Scholar
  8. 8.
    Sung, M., Xu, J.: IP traceback-based intelligent packet filtering: A novel technique for defending against Internet DDoS attacks. In: Proc of 10th IEEE ICNP, France (2002)Google Scholar
  9. 9.
    Argyraki, K., Cheriton, D.: Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks. In: USENIX 2005 (2005)Google Scholar
  10. 10.
    Mirkovic, J., Robinson, M., Reiher, P., Oikonomou, G.: Distributed Defense against DDOS Attacks. University of Delaware CIS Department Tech. Report CIS-TR-2005-02 (2005) Google Scholar
  11. 11.
    Moore, D., et al.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: IEEE INFOCOM 2003 (2003)Google Scholar
  12. 12.
    Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. Computer Communication Review 31(3) (July 2001)Google Scholar
  13. 13.
    Belenky, A., Ansari, N.: On IP traceback. IEEE Communications Magazine 41(7), 142–153 (2003)CrossRefGoogle Scholar
  14. 14.
    Yaar, A., Perrig, A., Song, D.: FIT: Fast Internet Traceback. In: INFOCOM 2005 (2005)Google Scholar
  15. 15.
    Network Simulator 2 (2004-07-10), http://www.isi.edu/nsnam/ns
  16. 16.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Yinan Jing
    • 1
  • Xueping Wang
    • 1
  • Xiaochun Xiao
    • 1
  • Gendu Zhang
    • 1
  1. 1.School of Information Science & EngineeringFudan UniversityShanghaiChina

Personalised recommendations