Network engineers have been known to use diversion to blackhole DDoS attacks. This technique may divert and blackhole legitimate traffic. We present a method that provides availability under DDoS attacks by combining different diversion methods with a mechanism that sieves the "bad" packets and forwards the "good" packets to the intended victim. The method minimizes demand on router resources and does not introduce additional elements on the normal data path.

The diversion method allows a sieving mechanism to process only the victims' traffic. The system is employable on a provider's backbone, preferably at the peering points. Furthermore, since diversion is done on demand for different targets at different periods of time, the solution can be shared by a large number of potential victims and can protect any element in the provider's backbone. This method can also be applied on egress traffic, thus enabling a service provider to clean attack traffic generated within its own network. Various alternative methods of transparently diverting a victim's traffic and returning its legitimate traffic will be presented.

About the Presenter
Yehuda Afek is a Professor in the School of Computer Science at Tel-Aviv University, and the CTO of WANWall Inc. Currently his research focuses on efficient forwarding and routing algorithms for IP networks, and methods for traffic engineering to stop DDoS attacks. Prior to joining Tel-Aviv University in 1989 he spent four years in AT&T Bell Laboratories. He received his M.Sc. and Ph.D. in Computer Science from UCLA in 1985 and 1983, respectively.