In this paper, we present a scheme that protects legitimate traffic from the large volume of attackers packets during a DDoS attack. Legitimate packets can be recognized by the tokens they carry in the IP header. Obtaining a token does not require protocol additions or changes, rather it is automatically obtained when a TCP connection is established. We believe that the Implicit Token Scheme (ITS) has numerous advantages: (1) It is totally transparent to clients. (2) No new protocols or modification of existing ones is needed to implement ITS. (3) Operations required by intermediate routers are computationally not more intensive than a couple of addition operations which could be easily done at wire-speed. (4) Does not lead to false positives. (5) Can sustain server availability even during attacks involving hundreds of thousands of attackers.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Tom Anderson , Timothy Roscoe , David Wetherall, Preventing Internet denial-of-service with capabilities, ACM SIGCOMM Computer Communication Review, v.34 n.1, January 2004  [doi>10.1145/972374.972382]
	2	K. Argyraki and D. Cheriton. Network capabilities: The good, the bad and the ugly. In HotNets-IV: The Fourth Workshop on Hot Topics in Networks, 2005.
	3	Florin Baboescu , George Varghese, Scalable packet classification, IEEE/ACM Transactions on Networking (TON), v.13 n.1, p.2-14, February 2005  [doi>10.1109/TNET.2004.842232]
	4	Matthias Bossardt , Thomas Dübendorfer , Bernhard Plattner, Enhanced Internet security by a distributed traffic control service based on traffic ownership, Journal of Network and Computer Applications, v.30 n.3, p.841-857, August, 2007  [doi>10.1016/j.jnca.2005.07.006]
	5	Configuring TCP Intercept, Cisco IOS Security Configuration Guide http://www.cisco.com/univercd/cc/td/doc/product/software/ios 122/122cgcr/fsecur_c/.
	6	Edith Cohen , Carsten Lund, Packet classification in large ISPs: design and evaluation of decision tree classifiers, Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 06-10, 2005, Banff, Alberta, Canada
	7	Michael Collins and Michael K. Reiter. An empirical analysis of target-resident dos filters. In IEEE Symposium on Security and Privacy, pages 103--114, 2004.
	8	Drew Dean , Matt Franklin , Adam Stubblefield, An algebraic approach to IP traceback, ACM Transactions on Information and System Security (TISSEC), v.5 n.2, p.119-137, May 2002  [doi>10.1145/505586.505588]
	9	The NP-2 Network Processor http://www.ezchip.com/html/pr_np-2.html.
	10	P. Ferguson , D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, RFC Editor, 2000
	11	C. Hopps, Analysis of an Equal-Cost Multi-Path Algorithm, RFC Editor, 2000
	12	Cheng Jin , Haining Wang , Kang G. Shin, Hop-count filtering: an effective defense against spoofed DDoS traffic, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948116]
	13	Jaeyeon Jung , Balachander Krishnamurthy , Michael Rabinovich, Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511485]
	14	Ji Li , Haiyang Liu , Karen Sollins, AFBV: a scalable packet classification algorithm, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.24-24, July 2002  [doi>10.1145/571697.571713]
	15	J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. Save: source address validity enforcement protocol. In Proceedings of IEEE INFOCOMM, 2001.
	16	Ratul Mahajan , Steven M. Bellovin , Sally Floyd , John Ioannidis , Vern Paxson , Scott Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.62-73, July 2002  [doi>10.1145/571697.571724]
	17	D. Moore, G. Voelker, and S. Savage. Inferring internet denial of service activity. In Proceedings of the 10th USENIX Security Symposium, 2001.
	18	Kihong Park , Heejo Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.15-26, August 2001, San Diego, California, United States
	19	Vern Paxson, An analysis of using reflectors for distributed denial-of-service attacks, ACM SIGCOMM Computer Communication Review, v.31 n.3, July 2001  [doi>10.1145/505659.505664]
	20	Route Views, University of Oregon Route Views Project, Available at http://www.routeviews.org/.
	21	Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Network support for IP traceback, IEEE/ACM Transactions on Networking (TON), v.9 n.3, p.226-237, June 2001  [doi>10.1109/90.929847]
	22	CAIDA's skitter initiative http://www.caida.org.
	23	Alex C. Snoeren , Craig Partridge , Luis A. Sanchez , Christine E. Jones , Fabrice Tchakountio , Beverly Schwartz , Stephen T. Kent , W. Timothy Strayer, Single-packet IP traceback, IEEE/ACM Transactions on Networking (TON), v.10 n.6, p.721-734, December 2002  [doi>10.1109/TNET.2002.804827]
	24	D. Song and A. Perrig. Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE INFOCOMM., 2001.
	25	Minho Sung , Jun Xu, IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks, Proceedings of the 10th IEEE International Conference on Network Protocols, p.302-311, November 12-15, 2002
	26	D. J. Bernstein http://cr.yp.com/syncookies.html.
	27	D. E. Taylor. Survey and taxonomy of packet classification techniques. Technical Report WUCSE-2004-4. Washington Univ. St. Louis, 2004.
	28	K. Thomson, G. Miller, and R. Wilder. Wide-area internet traffic patterns and characteristics. IEEE Network, 11(6), 1997.
	29	Haining Wang , Danlu Zhang , Kang G. Shin, Change-Point Monitoring for the Detection of DoS Attacks, IEEE Transactions on Dependable and Secure Computing, v.1 n.4, p.193-208, October 2004  [doi>10.1109/TDSC.2004.34]
	30	Y. Xiang, Y. Lin, W. L. Lei, and S. J. Huang. Detecting ddos attack based on network self-similarity. In Communications, IEE Proceedings. pages 292 - 295, 2004.
	31	Jun Xu , Wooyong Lee, Sustaining Availability of Web Services under Distributed Denial of Service Attacks, IEEE Transactions on Computers, v.52 n.2, p.195-208, February 2003  [doi>10.1109/TC.2003.1176986]
	32	Abraham Yaar , Adrian Perrig , Dawn Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.93, May 11-14, 2003
	33	A. Yaar, A. Perrig, and D. Song. Siff: A stateless internet flow filter to mitigate ddos flooding attacks. In Proceedings of The IEEE Symposium on Security and Privacy, pages 130--143, 2004.
	34	A. Yaar, A. Perrig, and D. Song. FIT: Fast Internet traceback. In Proceedings of IEEE INFOCOMM, March 2005.