Network engineers have been known to use diversion to blackhole DDoS attacks. This technique may divert and blackhole legitimate traffic. We present a method that provides availability under DDoS attacks by combining different diversion methods with a mechanism that sieves the “bad” packets and forwards the “good” packets to the intended victim. The method minimizes demand on router resources and does not introduce additional elements on the normal data path.
The diversion method allows a sieving mechanism to process only the victims’ traffic. The system is employable on a provider’s backbone, preferably at the peering points. Furthermore, since diversion is done on demand for different targets at different periods of time, the solution can be shared by a large number of potential victims and can protect any element in the provider’s backbone. This method can also be applied on egress traffic, thus enabling a service provider to clean attack traffic generated within its own network. Various alternative methods of transparently diverting a victim’s traffic and returning its legitimate traffic will be presented.