View article

In light of ever-increasing scale and sophistication of modern distributed denial-of-service (DDoS) attacks, recent proposals show that in-network filtering of DDoS traffic at a handful of transit networks can handle volumetric attacks effectively. In this paper, we identify a subtle but important security risk in existing in-network filtering proposals. That is, a transit network may use the in-network filtering services as an excuse for any arbitrary packet drops made for its own benefit. For example, a malicious transit network may execute any filtering rules to discriminate against some of its neighboring networks based on its business preference while claiming that it is for the purpose of DDoS defense. We argue that this is due to the lack of verifiable filtering-i.e., no single party can check if a transit network executes the filter rules correctly as requested by the DDoS victims. To make in-network filtering a more robust defense …