Overcoming Traffic Flooding on Networks

Developing a traffic filtering system for DDoS attacks

Traffic flooding is still one of the most common network-intrusion attacks, where multiple attackers send an overwhelming volume of packets to the victim host, so that the traffic loads are too heavy for the victim to handle. According to the statistics gathered by Arbor’s Active Threat Level Analysis Systemfrom more than 330 ISP customers with 130 Tbps of global traffic, Distributed Denial-of-Service (DDoS) attacks occur almost every hour globally. This project aims to apply reinforcement learning (RL) techniques for traffic filtering against DDoS attacks. For example, in the system setup inset, filters (RL agents) are carefully located and trained in order to prevent the victim’s workload from going beyond capacity.

The project addresses the following three problems:

  1. What is the attack profile? Signatures of the attack traffic help limit the target of filtering, and hence minimise the impact on legitimate traffic. However, there is a trade-off between the complexity of the rules and the accuracy of the signature, since over-complicated rules may cause unacceptable delays at the routers.
  2. Where should the attacker’s traffic be filtered? Ideally, unwanted traffic should be filtered as close to the attacker as possible. However, this may lead to high false alarms, as traffic from the attacker resembles legitimate flows at the source side. On the other hand, congestion can already occur if the traffic is filtered too close to the victim.
  3. How much of the traffic should be filtered? Each RL agent will either independently or cooperatively learn its optimal packet drop probability, which achieves balance between throttling attacker’s traffic and allowing sufficient legitimate flows to reach the server.

The aim of this project is to develop a distributed multi-agent traffic filtering system against DDoS attacks that keeps the victim server’s load below an upper bound, and allows as much legitimate traffic as possible to reach the server.

The project will take a two-step approach:

  1. Locating the agent is determined by pre-defined rules, and each agent observes the average traffic load towards the victim server, and optimises its local packet drop probability independently by applying reinforcement learning algorithms.
  2. Phase 2: The RL agents share their locations and local drop probability, and cooperate with each other to further improve the overall performance. Specifically, the agents can be deployed at a wide range of routers, and at each time interval, part of the agents may be turned off, i.e., setting the drop probability to 0.

Table 1. Problem setup: state, actions and rewards


Phase 1

Phase 2


Average traffic load towards the victim

1. Average traffic load towards the victim

2. Other agents’ local drop probabilities

3. Other agents’ locations


Local drop probability (0 means the corresponding agent is turned off)


1. Whether the load of the victim server is below the upper boundary

2. Normalised rate of the legitimate traffic that reaches the server

The project will produce a demonstration platform of the distributed multi-agent traffic filtering system. One potential candidate is using Mininet and OpenDaylight – Mininet for creating the network and OpenDaylight for reinforcement learning agent interfacing to retrieve statistics and reconfigure the network.

Research Team


Seed Funding 2015

Cyber crime casts an evil net by Garry Barker, 3010 Magazine.

Ben Rubinstein wins Young Tall Poppy Science Award by Kate Murray, Melbourne Networked Society Institute, 18 November 2016.

Presented at the Networked Society Symposium 2016 as part of the Breaking tradition: How new  technology is transforming everything session, 11 November 2016.

Crime and privacy in open data by Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague, Pursuit, 28 October 2016.

Understanding the maths is crucial for protecting privacy by Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague, Pursuit, 29 September 2016.

Can hackers turn off the lights? by Greta Harrison, Pursuit, 18 January 2016.

The rise of the machines: fact or fiction? by Greta Harrison, Pursuit, 23 September 2016.