摘要:Distributed Denial-of-Service (DDoS) is still an important security challenge for computer networks. Filter-based DDoS defense is considered as an effective approach, since it can defend against both victim-resource-consumption attacks and link-congestion attacks. However, the high possibility of false positive and the huge consumption of router resources reduce the practicality of existing filter-based approaches. In order to solve this problem, we propose a new mechanism to efficiently eliminate the impact caused by DDoS attacks. We utilize the IP traceback results to obtain an attack graph that contains the candidate filtering routers. Taking the different filtering performance of the routers in the attack graph into consideration, we propose a filtering scheme to determine a small set of filtering routers that would increase filtering performance and reduce false positive. Simulation results based on real-world network topologies demonstrate that the proposed scheme can reduce the damage caused by DDoS attacks effectively and maintain the loss of normal traffic within an acceptable level.