Bandwidth Distributed Denial of Service: Attacks and Defenses
Distributed denial of service (DDoS) attacks pose a serious threat to the Internet. We discuss the Internet vulnerability to Bandwidth Distributed Denial of Service (BW-DDoS) attacks, where many hosts send a huge number of packets exceeding network capacity and causing congestion and losses, thereby disrupting legitimate traffic. TCP and other protocols employ congestion control mechanisms that respond to losses and delays by reducing network usage, hence, their performance may be degraded sharply due to such attacks. Attackers may disrupt connectivity to servers, networks, autonomous systems, or whole countries or regions; such attacks were already launched in several conflicts.
In this paper we survey BW-DDoS attacks and defenses. We argue that so far, BW-DDoS employed relatively crude, inefficient, brute force mechanisms; future attacks may be significantly more effective, and hence much more harmful. We discuss currently deployed and proposed defenses. We argue that to meet the increasing threats, more advanced defenses should be deployed. This may involve some proposed mechanisms (not yet deployed), as well as new approaches. This article is an overview and will be of particular interest to readers who want to learn about bandwidth DDoS attacks and defenses.