Flow-Cookies: A Bandwidth Amplification Approach to Defend Against DDoS Flooding Attacks

Martin Casado, Pei Cao, Neils Provos


We present ``flow-cookies", a defence against bandwidth exhaustion DDoS attacks. With it, a web site can gain the effective protection bandwidth and filtering capacity of a cooperating high-speed router within the network. Flow-cookies enables a router to determine if a TCP packet sent to the webserver belongs to a legitimate flow without requiring it to store per-flow state. It employs both filtering, used during connection establishment, and capabilities, used post connection establishment.

Flow-cookies extends SYN cookies by placing a secure, limited lifetime cookie within the TCP timestamp of every outgoing data packet from the protected server. The router verifies that all incoming packets have valid cookies (are part of an established flow) before passing them on to the server. Flow-cookies does not require modification to clients, is resistant to source spoofing, and leverages existing client-provider relationships on the Internet. We have implemented flow-cookies within an existing software router and verified its compatibility with popular client operating systems and widely used public web sites.

The paper in PDF is here.

The PowerPoint presentation is here.