Transient Performance of PacketScore for Blocking DDoS Attack

In this paper, we first give a brief description of our approach. Our key idea is to use a statistical packet scoring mechanism to distinguish between legitimate and non-legitimate packets and later discard packets based on the packet scores. The threshold used for the score-based selective packet discard decision is dynamically adjusted based on the score distribution of recent incoming packets as well as the current level of overload of the system. In order for such an approach to work, we need to perform on-line traffic characterizations, and compared such characterizations with nominal profiles (generated from past history or off-line analysis). In our previous paper [Kim04], we discuss how our proposed system performs in different attack scenarios. In this paper, we concentrate more on how the score distribution changes with different attack types, different attack traffic intensities and different windowing parameters.