Selective dropping of rate limiting against denial of service attacks

Date of Award


Degree Name

M.S. in Computer Science


Department of Computer Science


Advisor: Zhongmei Yao


In a Denial of Service (DoS) attack, attackers attempt to prevent legitimate users from accessing services on the Internet. As the Internet was designed to keep its core simple (i.e., routers simply perform routing and forwarding, rather than deep packet inspection), DoS attacks are still an open issue. In this thesis, we propose a router-based system and shed light on the design of intelligent rate-limiting mechanisms for protecting the Internet against DoS attacks. Unlike blind dropping (tail dropping or random dropping) used in traditional Active Queue Management (AQM) mechanisms that have been employed by routers on the Internet, our rate-limiting system maintains a grey list and a black list and performs selective packet dropping. The grey list contains information regarding flows that exceed the low-rate threshold but have not hit the high-rate threshold, while the black list monitors the high-rate flows. Each list is implemented using a table/map with fixed size and hence can be easily employed in routers. We show via simulations that our algorithm significantly outperforms blind dropping mechanisms.


Denial of service attacks, Internet Security measures, Routers (Computer networks), Internetworking (Telecommunication), Computer Science, rate limiting, denial of service, DoS, selective dropping, attack

Rights Statement

Copyright © 2016, author