Adaptive tuning of network traffic policing mechanisms for DDoS attack mitigation systems

Distributed denial-of-service (DDoS) attacks are responsible for shutting down servers, denying access to critical sectors of the economy, and generating substantial downtime costs and reputation harm. Only in 2020, over ten million DDoS attacks were observed worldwide. Commonly, open-loop network traffic rate policing is used to mitigate them. That is how network devices are currently designed. This paper shows how to extend the state-of-the-art design by introducing the adaptive closed-loop tuning of policing mechanisms. As demonstrated experimentally, open-loop policing based on the celebrated token-bucket mechanism generates a steady-state control error. In contrast, the robust self-tuning controller eliminates that control error while adjusting the bitrate limiting operations to the severe and hardware-specific network operating conditions during a DDoS attack. The study shows the controller's implementation details and discusses the critical difficulties encountered in its technical development. Furthermore, it illustrates how the control error variance depends on the commanded traffic rate limit and explains why the self-tuning controller's anti-windup filter may fail to bring the control signal back to the set of admissible control values. All experiments presented in this paper were conducted using real data from the Polish nation-wide cybersecurity system FLDX managed by the NASK National Research Institute.