The filter-based reactive packet filtering is a key technology in attack traffic filtering for defending against the Denial-ofService(DoS) attacks.Two kinds of relevant schemes have been proposed as victimend filtering and source-end filtering.The first scheme prevents attack traffic from reaching the victim,but causes the huge loss of legitimate flows due to the scarce filters(termed as collateral damages);the other extreme scheme can obtain the sufficient filters,but severely degrades the network transmission performance due to the abused filtering routers.In this paper,we propose a router based packet filtering scheme,which provides relatively more filters while reducing the quantity of filtering routers.We implement this scheme on the emulated DoS scenarios based on the synthetic and real-world Internet topologies.Our evaluation results show that compared to the previous work,our scheme just uses 20%of its filtering routers,but only increasing less than 15 percent of its collateral damage.
展开▼
