Blocking DDoS attacks at the network level

Denial of service (DDoS) is a persistent and continuously growing problem. These attacks are based on methods that flood the victim with messages that it did not request, effectively exhausting its computational or bandwidth resources. The variety of attack approaches is overwhelming and the current defense mechanisms are not completely effective. In today’s internet, a multitude of DDoS attacks occur everyday, some even degrading the availability of critical or governmental services. In this dissertation, we propose a new network level DDoS mitigation protocol that iterates on previous attempts and uses proven mechanisms such as cryptographic challenges and packet-tagging. Our analysis of the previous attempts to solve this problem led to a ground-up design of the protocol with adaptability in mind, trying to minimize deployment and adoption barriers. With this work we concluded that with software changes only on the communication endpoints, it is possible to mitigate the most used DDoS attacks with results up to 25 times more favourable than standard resource rate limiting (RRL) methods