Preventing Distributed Denial-of-Service Flooding Attacks with Dynamic Path Identifiers

In recent years, there are increasing interests in using path identifiers (PIDs ) as inter-domain routing objects. However, the PIDs used in existing approaches are static, which makes it easy for attackers to launch the distributed denial-of-service (DDoS) flooding attacks. To address this issue, in this paper, we present the design, implementation, and evaluation of dynamic PID (D-PID), a framework that uses PIDs negotiated between the neighboring domains as inter-domain routing objects. In D-PID, the PID of an inter-domain path connecting the two domains is kept secret and changes dynamically. We describe in detail how neighboring domains negotiate PIDs and how to maintain ongoing communications when PIDs change. We build a 42-node prototype comprised of six domains to verify D-PID's feasibility and conduct extensive simulations to evaluate its effectiveness and cost. The results from both simulations and experiments show that D-PID can effectively prevent DDoS attacks.