A distributed denial-of-service (DDoS) attack can flood a victim site with malicious traffic, causing service disruption or even complete failure. Public-access sites, like Amazon or EBay, are particularly vulnerable to such attacks, because they have no way of a priori blocking unauthorized traffic.

I will present Active Internet Traffic Filtering (AITF), a mechanism that enables public-access sites to react to highly distributed attacks by causing undesired traffic to be blocked as close as possible to its sources. I will identify wire-speed filters in routers as a scarce resource, and show how AITF protects a significant amount of the victim's bandwidth, while requiring from each participating router a number of filters that can be accommodated by today's routers. I will also discuss an incremental deployment scenario, which offers substantial benefit even to the first sites that deploy AITF.