A Game Theory Based Approach to the Generation of Optimal DDoS Defending

Strategy
Liang Huang, Dengguo Feng, Yifeng Lian, Yingjun Zhang, and Yuling Liu
Trusted Computing and Information Assurance Laboratory,
Institute of Software, The Chinese Academy of Sciences, Beijing, China
{lancerhuang, feng, lianyf, yjzhang, ylliu}@tca.iscas.ac.cn

ABSTRACT
With the growing threat of DDoS attacks, new attacking mechanisms emerge every day. In order to confront
the ever-evolving DDoS attacks, it is insufficient to
select defending strategy merely from existing strategy
set. In this paper, we propose a method that generates
new defending strategies and that selects the optimal
one among them, thus increasing the defending ability.
The Game Model for DDoS Countermeasure Selection
is established to model the DDoS scenario that considers the attacker and the defender as two players in the
game. Then the new defending strategies are generated
and are included in the defending strategy set. Next,
the Nash equilibrium is calculated to indicate the optimal defending strategy. The experiments, which is
performed with the network simulator, show the effectiveness of our method.

KEYWORDS
DDoS, Game Theory, Optimal Defending Strategy,
Strategy Selection, Effect Evaluation

1 INTRODUCTION
The Distributed Denial-of-Service (DDoS) attack
has become one of the most severe threats to the
network security. Attackers utilize the compromised hosts to send overwhelmingly large number
of requests to the victim, exhausting the victims
resources, making it unable to provide services.
In order to fight against the DDoS attack effectively, not only countermeasures against the DDoS
attacks are proposed, but also methods of selecting
the optimal defense countermeasures are developed. These methods help to select the suitable
defending strategy in the defending strategy set.
However, attackers continuously refine attacking
process to increase the attack effect, so that new
ISBN: 978-0-9891305-4-7 2014 SDIWC

attacking mechanisms emerge every day. Therefore, it is insufficient to select the best countermeasure among existing defense countermeasures.
In order to confront the ever-evolving attacks, we
have to find a way to improve countermeasures.
This paper proposes an approach of generating
new defending strategies and selecting the optimal
one from them. As a result, the defense effect is
increased. Firstly, the defending strategies are
combined to generate new strategies. Secondly,
the Game Model for DDoS Countermeasure Selection (GMDCS) is built. The attacker and the
defender are two players in the model. Thirdly,
utility functions for the attacker and the defender
are introduced, including the functions of calculating the effect of the combined defending strategies
and the effect of the corresponding attacking strategies. Thirdly, the Nash equilibrium that indicates
the optimal defending strategy in both the original
defending strategy set and the newly generated
defending strategy set is solved. Finally, experiments are made using the network simulator to
validate the correctness and the effectiveness of
the method.
The rest of the paper is organized as follows.
We describe related works in Section 2, present
the GMDCS model in Section 3. Details of utility
functions for both the attacker and the defender
are provided in Section 4. We demonstrate the
experiments in Section 5, and we summarize this
paper in Section 6.
2 RELATED WORK
In order to confront the DDoS attacks, many countermeasures have been proposed, such as attack
detecting, flow filtering, source identifying, and so
on [1-3]. Mirkovic et al. [4] classified the DDoS

14

attacks and countermeasures, Peng et al. [5] surveyed the countermeasures defending the Dos and
DDoS attacks. They analyzed the defense effect of
every countermeasure.
Based on the solid work of DDoS attack and defense survey, methods of the attack evaluation and
the defense evaluation are proposed. Butler [6]
proposed Security Attribute Evaluation Method
(SAEM). The method first evaluated how well
each defense countermeasure mitigated the threats.
Then it analyzed the types of threat each defense
countermeasure could handle. At last, it evaluated
the cost of each defense countermeasure. These
three factors were considered as a whole to guide
the selection of defense countermeasures. Bellaiche et al. [7] pointed out that the evaluation and
comparison were based on 4 aspects, i.e. performance, cost of deployment, influence to the target
system, robust. Schwab et al. [8] put the indices
for DDoS evaluation into three categories: indices
of network traffic, indices of attack effect and indices of effectiveness of defense. He stated that
the attack effect should be evaluated by the change
of the indices before and during the attack, the
defense effect should be evaluated by the change
of defense effect before and after the deployment
of the defense countermeasure. However, no concrete calculation method was provided. Meadows
[9] defined the cost set C and the intruder capability set G. Then the tolerance relation set CG was
defined to analyze whether the protocol could resist the DoS attack or not. This method provided a
comprehensive analysis for the strategies of both
attacks and defenses. However, it was too theoretical to be put into practice. Mirkovic et al. [10]
suggested that the key of DDoS defense was to
keep the service running at a user-acceptable level.
With this idea, Mirkovic et al. [11, 12] proposed a
threshold based DDoS attack effect evaluation
method using QoS indices issued by 3rd Generation Partnership Project (3GPP). If the index was
beyond the normal QoS range, the application was
considered as failed. The percentage of failed
transactions (PFT) was used as the evaluation metric of DDoS attack effect. The weighted sum of
PFT of the whole applications in the network traffic illustrated the overall effect of DDoS attacks.
Li et al. [13] evaluated the effect of DDoS attacks
based on packets. The LAR, ratio of the legitimate
ISBN: 978-0-9891305-4-7 2014 SDIWC

traffic passed rate (LTPR) over the attack traffic

passed rate (ATPR), was used to measure the performance of the DDoS defense. The higher of the
LAR, the better of the defense.
Recently many researches focused on selecting
the optimal defending strategy in order to increase
the security level. Many theories are incorporated.
Game theory is one of the main approaches. Yan
et al. [14] built a game-theoretical framework for
evaluating DDoS attacks and defense. The work
studied the situation that, when multi-layer defense was deployed, how the system parameters
would affect the decision of both the attacker and
the defender. Liu et al. [15] built models for attackers intention, objectives and strategies. The
attack scenarios are categorized into nine types
from two dimensions of agility and accuracy of
intrusion detection, and correlation among attack
actions. It was pointed out that the intention, objectives and strategies could be inferred using
game theoretic approach, which would benefit the
cyber security. Wei et al. [16] introduced the concept of the defense graph. Incorporated with the
defense graph, the cost of strategy was calculated.
It then utilized the game theoretic method to select
the optimal defending strategy. Bedi et al. [17]
modeled the bandwidth depletion attack. The work
focused on the probabilities of allowing, redirecting and dropping the incoming traffic. The optimal
values of the probabilities were calculated using
game theoretic approach.
All these works are enlightening. However,
these works mainly considered the problem of
selecting the optimal defending strategy in the
existing strategy set. While we developed the
method to select the optimal defending strategy in
both the existing strategy set and the generated
strategy set, with the help of GMDCS.
3 GAME MODEL FOR DDOS
COUNTERMEASURE SELECTION (GMDCS)
In DDoS attack scenarios, the attacker and the
defender are two competitors. They try to amplify
their effect. Both the attacker and the defender
have strategies to increase their effect. We build
GMDCS to guide the selection of the optimal defending strategy. GMDCS is a 6-tuple vector:

15

G = ( S Att , S Def 0 , , S DefCom ,U Att ,U Def )

The elements in GMDCS are described with

more details below:

is the set of the attacking strategies. In this

paper, attackers have 2 attacking strategies,
large number of zombies with slow sending
rate (LZSR), and small number of zombies
with fast sending rate (SZFR). Therefore,
S Att ={LZSR, SZFR}.
S Def 0 is the initial set of the defending strategies.
In this paper, defenders have 3 basic defending strategies, increasing Qlimit (IQ), rate limiting (RL), and source blocking (SB). Qlimit is the
maximum number of half-opened connections. Therefore, S Def 0 ={IQ, RL, SB}.
is the mapping relation between S Def 0 and
S DefCom , : S Def 0 S DefCom . It represents the process
of generate new defending strategies by combining the defending strategies from the initial
defending strategy set.
S DefCom is the generated defending strategy set by
combining basic strategies in S Def 0 .
S Att

S DefCom

= S Def 0 S Def 0 + S Def 0 S Def 0 S Def 0 + + =

S Def 0

i=2

, n =| S Def 0 | . In this paper,

SB, RL-SB, IQ-RL-SB}.

S DefCom

={IQ-RL, IQ-

and S Def 0 form the new set of defending

strategies, marked as S DefNew . Therefore,
S DefCom

S DefNew = S Def 0 + S DefCom

= S Def 0i ,
i =1

n =| S Def 0 | .In

this paper,

={IQ, RL, SB, IQ-RL, IQ-SB, RL-SB, IQRL-SB}.

S DefNew

U Att , U Def are the utility functions for the attacker

and the defender respectively. The utility,
which considers both the effect and the cost,
represents the satisfaction the player experiences when taking the strategy. Therefore, We
use utility to quantify the strategies. The utility functions are further discussed with more
details in section 4.
It is easy to understand that the optimal defending strategy is the one with the biggest utility.

ISBN: 978-0-9891305-4-7 2014 SDIWC

However, the strategy with the biggest utility under one attacking strategy may not be the strategy
with the biggest utility under another attacking
strategy. Therefore, the Nash equilibrium is incorporated to select the optimal defending strategy
against DDoS attacks. The Nash equilibrium is the
state that each player gains his maximum utility.
They have no incentive to change their strategy in
that state. As a result the Nash equilibrium can
guide the defender to select the optimal defending
strategy. In this paper, the Nash equilibrium is
presented as a vector:
S Nash = {s Att *, sDef *} .

is the optimal strategy for the attacker,

is the optimal strategy for the defender.

s Att *
sDef *

4 UTILITIY FUNCIONS OF GMDCS

In DDoS attack scenarios, both the attacker and
the defender pay the cost and gain the reward. The
difference between the reward and the cost is defined as utility. The utility functions for the attack
and the defender are listed below.
U Att = Att Reward Att Att Cost Att

(1)
(2)

U Def = Def Reward Def Def Cost Def

Att Att , Def , Def

are the adjust parameters.

The attacker gains reward when the attack influences the victim. The defender gains reward
when the protection mitigates the attack effect.
Intuitively, we use the attack effect and the defense effect to quantify the reward gained by the
attacker and the defender respectively. The nature
of DDoS attacks is to influence the availability.
Accordingly, the variation of availability can be
used to represent the attack effect and the defense
effect.
Definition 1 (Attack Effect). Attack Effect E Att is
expressed as the difference between the availability of the victim with no attack Avano _ Att and that
with attack Ava Att .
(3)
=
E Att Avano _ Att Ava Att
Definition 2 (Defense Effect). Defense Effect EDef
is expressed as the difference between the attack
effect the attacker produced with no defense E Att
and that with countermeasures E Att _ with _ Def .
16

E=
E Att E Att _ with _ Def
Def
= Avano _ Att Ava Att ( Avano _ Att Ava Att _ with _ Def )

(4)

= Ava Att _ with _ Def Ava Att

The availability can be perceived by different

approaches. In this paper, we proposed a method
that measures availability from legitimate users
perspective. If the DDoS attack occurs, the normal
user will notice that the whole applications involving network data transmission become slow, and
that interactions with those applications take longer time. It indicates the time between sending a
request and receiving the corresponding response
can be used to measure the availability, thus reflecting the impact of DDoS attacks. Here we first
give two definitions, and then a formula for calculating the availability is presented.
Definition 3 (Average Responding Time). Average Responding Time Tres is the average of responding time T with respect to the number of
successfully request-and-respond actions.
1 n
1 n
=
Ti

(ti ' ti )
n i 1=
ni1
=

=
Tres

(5)

is the i th successfully request-and-respond

action, n is the total number of successfully request-and-respond actions, ti is the moment the
legitimate user sends the request, and ti ' is the
moment he successfully receives the response.
Definition 4 (Responding Probability). Responding probability P is the probability of a request sent by the legitimate user being responded
by the victim. In this paper, it is defined as the
percentage of successfully responded requests sent
CReq_Success divided by total requests sent CReq_Total .

and the utility of the corresponding attacking

strategy are discussed below.
When calculating the combined defending strategys utility, we first calculate the defense effect
and the cost of the combined defending strategy
using formula (8), (9). Then the utility of the combined defending strategy is calculated using formula (2).
n

EDef _ i

i =1

E Att 0

[1 (1
EDefCom =

(8)

)]E Att 0

Cost DefCom = Cost Def _ i

(9)

i =1

is the attacking effect gained without defending strategies.

The utility for the attacking strategy that confront the combined defending strategy is calculated using formula (1). The cost of the attacking
strategy is unchanged, but the attack effect is recalculated by formula (10).
(10)
E=
E Att 0 EDefCom
AttCo
EDefCom is the defense effect of the confronting defending strategy.
E Att 0

Ti

=
Pres

CReq_Success
CReq_Total

100%

(6)

The availability is calculated using average responding time Tres and responding probability Pres :
Avail = Tob [ Pres Tres + (1 Pres )Tob ]
(7)
Tob is the observation time.
In fact, the expression Pres Tres + (1 Pres )Tob is the
mathematical expectation of the time between
sending a request and receiving the corresponding
response for a legitimate user.
Above all, the process of calculating the utility
is presented. Moreover, the processes of calculating the utility of the combined defending strategy

ISBN: 978-0-9891305-4-7 2014 SDIWC

5 EXPERIMENT
The experiment is simulated using SSFNet [18], a
network simulator. It contains modules to mimic
the DDoS attack activities. For the universality,
we randomly generated a network topology with
100 routers. Attackers, the victim and legitimate
users are all attached to the routers. Attackers and
legitimate users send requests to the victim, and
the victim responds to the requests.
The experiment uses the SYN-flood attack as
the attacking method. The SYN-flood attack creates an incomplete TCP three-way handshake state
with the victim by missing the ACK packet. The
victim is forced to keep a large number of halfopened connections so that the resource is exhausted. Therefore, the victim is unable to respond
to new requests. The objective of the DDoS attack
is achieved.
In this experiment, the LZSR implements as 500
zombies sending at 1/3 request/sec each. The
SZFR implements as 200 zombies sending at 1
request/sec each. The IQ implements as increasing
the Qlimit from 4000 to 8000. The RL implements as
dropping all the packets if traffic is over 800Kbps.
17

The SB implements as identifying and blocking

150 zombies. Some parameters of the experiment
are demonstrated in Table 1.
Table 1. Parameters of the experiment

Parameter

Meaning
Value
the
maximum
number
of
halfQlimit
4000
opened connections
the bandwidth of the bottleBWthres
2
neck link(Mbps)
the time of observaTob
1000
tion(second)
the adjust parameter for the
Att
0.6
attack effect
the adjust parameter for the
Att
0.1
attack cost
the adjust parameter for the
Def
1
defense effect
the adjust parameter for the
Def
0.03
defense cost
Cost LZSR
the cost of LZSR
100
CostSZFR
the cost of SZFR
75
Cost IQ
the cost of IQ
200
Cost RL
the cost of RL
500
CostSB
the cost of SB
1000
SSFNet is used to simulate different DDoS scenarios where the attacker and the defender take
different strategies. Parameters of Pres and Tres in
these scenarios are collected and are shown in
Table 2.
Table 2. Pres and Tres collected in different sceniros

Pres
Tres
Scenario
No Attack No Defense 0.998529 1.69191
LZSR without Defense 0.50834 6.54349
SZFR without Defense 0.273042 6.05851
LZSR vs. IQ
0.610428 7.16152
LZSR vs. RL
0.939933 8.328
LZSR vs. SB
0.632467 6.88435
SZFR vs. IQ
0.483054 6.68494
SZFR vs. RL
0.442215 6.16911
SZFR vs. SB
0.995257 5.33536
Defense effects of the strategies in S Def 0 are calculated based on formula (3), (4), (7). Defense
effects of the strategies in S DefCom are calculated
using formula (8). The results are rounded to integer and demonstrated in Table 3.

ISBN: 978-0-9891305-4-7 2014 SDIWC

Table 3. Defense effects of the strategies in S Def 0 and S DefCom

Defense Effect LZSR SZFR

IQ
104
212
RL
430
171
SB
126
722
IQ-RL
444
333
IQ-SB
204
724
RL-SB
447
724
IQ-RL-SB
457
725
The cost of each combined defending strategy is
calculated using formula (9). The result is shown
in Table 4.
Table 4. Costs of the combined defending strategies

Defending Strategy Cost

IQ-RL
700
IQ-SB
1200
RL-SB
1500
IQ-RL-SB
1700
The utilities of the defending strategies are calculated using formula (2) and shown in Table 5.
Then we consider the attackers utility. The attack
effects are calculated using formula (3) for basic
attacking strategies and (10) for combined strategies. Results are shown in Table 6.
With the cost of each attacking strategy, the
utilities for the attack facing different defending
strategies are calculated and shown in Table 7.
After that, the Nash equilibrium of the GMDCS
is calculated. The result is p Att ={81.41%, 18.59%},
pDef ={0, 8.02%, 0, 0, 0, 91.98%, 0}, which indicates that the optimal defending strategy is RL-SB.
Table 5. Uitlities of defending strategies

Utility
LZSR SZFR
IQ
32.4
97.2
RL
218
62.6
SB
5.6
363.2
IQ-RL
196.4 129.8
IQ-SB
22.4 334.4
RL-SB
158.2 324.4
IQ-RL-SB 134.2 295

18

Table 6. Attack effects encountering different defending strategies

Attack Effect LZSR SZFR

IQ
RL
SB
IQ-RL
IQ-SB
RL-SB
IQ-RL-SB

391
65
369
51
291
48
38

517
558
7
396
5
5
4

Table 7. Uitlities of attacking strategies

Utility
LZSR SZFR
IQ
388
514
RL
62
555
SB
366
4
IQ-RL
48
393
IQ-SB
288
2
RL-SB
45
2
IQ-RL-SB
35
1
6 CONCLUSION
In order to confront the severe threat of DDoS
attacks, this paper proposed an approach that first
generates new defending strategies, and that selects the optimal one among them. First, the
GMDCS model is built based on Game theory.
Then, from the legitimate users perspective, the
attack effect and the defense effect is defined.
They are involved in calculating the attack utility
and the defense utility in GMDCS. Next, new defending strategies are generated by combining existing defending strategies together. The utilities
of the combined defending strategies and the corresponding attacking strategies are calculated. Finally, by solving the Nash equilibrium, the optimal defending strategy is selected. Using the network simulator SSFNet, the experiments are performed to validate the effectiveness of the method.
There is still a lot to research. The cost of the
defending strategies should be surveyed from
more aspects. An efficient method of generating
strategy combinations and eliminating the bad
choice at the early stage have to be found. We
shall work on these jobs in the future.

7 ACKNOWLEDGEMENT
This work was supported by National High-Tech
Research and Development Plan of China under
Grant
No.
SQ2013GX02D01211,
2011AA01A203, the National Natural Science
Foundation of China under Grant No. 61100226,
61303248, the Beijing Natural Science Foundation
under Grant No. 4122085, 4144089, the National
Science & Technology Pillar Program of China
during the Twelfth Five-year Plan Period under
Grant No. 2012BAK26B01.
8 REFERENCES
[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

ISBN: 978-0-9891305-4-7 2014 SDIWC

Yang, X. and Z. Wanlei, Mark-aided distributed filtering

by using neural network for DDoS defense, in Global
Telecommunications Conference, 2005. GLOBECOM
'05. IEEE. 2005.
Chonka, A., et al., Multi-Core Defense System (MSDS)
for Protecting Computer Infrastructure against DDoS Attacks, in Parallel and Distributed Computing, Applications and Technologies, 2008. PDCAT 2008. Ninth International Conference on. 2008. p. 503-508.
Yau, D.K.Y., et al., Defending against distributed denialof-service attacks with max-min fair server-centric router
throttles. Networking, IEEE/ACM Transactions on, 2005.
13(1): p. 29-42.
Mirkovic, J. and P. Reiher. A taxonomy of DDoS attack
and DDoS defense mechanisms. in ACM SIGCOMM
Computer Communication Review. 2004.
Peng, T., C. Leckie, and K. Ramamohanarao, Survey of
network-based defense mechanisms countering the DoS
and DDoS problems. ACM Comput. Surv., 2007. 39(1).
Butler, S.A., Security attribute evaluation method: a
cost-benefit approach, in Proceedings of the 24th International Conference on Software Engineering. 2002,
ACM: Orlando, Florida. p. 232-240.
Bellaiche, M. and J. Gregoire. Measuring Defense Systems Against Flooding Attacks. in Wireless Communications and Mobile Computing Conference, 2008. IWCMC
'08. International. 2008.
Schwab, S., et al., Methodologies and metrics for the
testing and analysis of distributed denial of service attacks and defenses, in IEEE Military Communications
Conference, 2005. MILCOM 2005. 2005. p. 26862692.
Meadows, C., A Formal Framework and Evaluation
Method for Network Denial of Service, in Proceedings
of the 12th IEEE workshop on Computer Security Foundations. 1999, IEEE Computer Society. p. 4-13.
Mirkovic, J., et al., Benchmarks for DDoS defense evaluation, in Military Communications Conference, 2006.
MILCOM 2006. 2006. p. 110.
Mirkovic, J., et al., Measuring denial Of service, in Proceedings of the 2nd ACM workshop on Quality of protection. 2006, ACM: Alexandria, Virginia, USA. p. 5358.
Mirkovic, J., et al., Towards user-centric metrics for
denial-of-service measurement, in Proceedings of the
2007 workshop on Experimental computer science. 2007,
ACM: San Diego, California.
Li, Z., Y. Xiang, and D. He, Simulation and Analysis of
DDoS in Active Defense Environment, in Computational

19

Intelligence and Security, Y. Wang, Y.-m. Cheung, and

H. Liu, Editors. 2007, Springer Berlin Heidelberg. p.
878-886.
[14] Yan, G., et al. Towards a Bayesian Network Game
Framework for Evaluating DDoS Attacks and Defense.
Proceedings of the 19th ACM conference on Computer
and communications security - CCS '12, 2012: p. 553566.
[15] Liu, P., W. Zang, and M. Yu, Incentive-based Modeling
and Inference of Attacker Intent, Objectives, and Strategies. ACM Trans. Inf. Syst. Secur., 2005. 8(1): p. 78-118.

ISBN: 978-0-9891305-4-7 2014 SDIWC

Jiang, W., et al. Optimal Network Security Strengthening Using Attack-Defense Game Model. in Sixth International Conference on Information Technology: New
Generations, 2009. ITNG '09. 2009.
[17] Bedi, H.S., S. Roy, and S. Shiva. Game theory-based
defense mechanisms against DDoS attacks on TCP/TCPfriendly flows. in 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS). 2011.
[18] SSFNet, Scalable simulation framework network models,
http://www.ssfnet.org/homePage.html.
[16]

20