Despite the proliferation of traffic filtering capabilities throughout the Internet, attackers continue to launch distributed denial-of-service (DDoS) attacks to successfully overwhelm the victims with DDoS traffic. In this paper, we introduce a distributed filtering system that leverages nodes distributed along the paths of DDoS traffic to filter the DDoS traffic. In particular, we focus on adaptive distributed filtering, a new direction in filtering DDoS traffic. In our design, a subscriber to the distributed filtering service can act on behalf of a DDoS victim and generate filtering rules that not only adapt to the most suitable and effective filtering granularity (e.g., IP source address and a port number vs. an individual IP address vs. IP prefixes at different lengths), but also adapt to the preferences of the subscriber (e.g., maximum coverage of DDoS traffic vs. minimum collateral damage from dropping legitimate traffic vs. minimum number of rules). We design an efficient algorithm that can generate rules adaptive toward filtering granularities and objectives, which can further help determine where to deploy generated rules for the best efficacy. We evaluated our system through both large-scale simulations based on real-world DDoS attack traces and pilot studies. Our evaluations confirm that our algorithm can generate rules that adapt to every distinct filtering objective and achieve optimal results. We studied the success rate and distribution of rule deployment under different Internet-scale rule deployment profiles, and found a small number of autonomous systems can contribute disproportionately to the defense. Our pilot studies also show our adaptive distributed filtering system can effectively defend against real-world DDoS attack traces in real time.

翻译：尽管互联网上的流量过滤能力日益普及，攻击者仍能发起分布式拒绝服务（DDoS）攻击，通过DDoS流量成功压垮受害方。本文提出一种分布式过滤系统，利用分布在DDoS流量路径上的节点对攻击流量进行过滤。我们重点研究自适应分布式过滤——一种过滤DDoS流量的新方向。在该设计中，分布式过滤服务的订阅者可代表DDoS受害方生成过滤规则，这些规则不仅能适应最合适且有效的过滤粒度（例如IP源地址与端口号的组合、单个IP地址或不同长度的IP前缀），还能适应订阅者的偏好（如最大化覆盖DDoS流量、最小化丢弃合法流量的附带损害或最小化规则数量）。我们设计了一种高效算法，可生成适应过滤粒度与目标的规则，并进一步确定规则的最佳部署位置以提升效能。通过基于真实DDoS攻击流量的大规模仿真与先导研究，我们验证了系统性能。评估结果表明，该算法可生成适应每种不同过滤目标并达到最优效果的规则。我们还研究了不同互联网规模规则部署配置下的成功率与分布规律，发现少数自治系统即可对防御产生不成比例的影响。先导研究进一步显示，我们的自适应分布式过滤系统能实时有效防御真实DDoS攻击流量。