Distributed denial-of-service (DDoS) attacks have become increasingly prevalent and disruptive to online services, negatively impacting their availability. Many existing DDoS mitigation methods rely on endpoint defense, leaving network-level interventions at routers underexplored. This work proposes the DPTB DDoS Defense (DDD) mechanism, a novel network-level DDoS defense based on the Dynamic Priority Token Bucket (DPTB) Quality of Service model developed at the University of Stuttgart. DDD mitigates DDoS attacks inside the routers of a network by categorizing hosts into non-attackers, potential attackers, and definitive attackers, with responses that range from de-prioritization to blocking. The mechanism features a TCP SYN flooding protection along with two strategies, Bidirectional DDD and Downstream Reporting, to address downstream-intensive DDoS attacks such as HTTP flooding. To evaluate DDD, we implement it with the OMNeT++ network simulation framework and assess its performance against UDP flooding, TCP SYN flooding, and HTTP flooding attacks. Our findings indicate that DDD outperforms traditional Rate Limiting in all three attack types, effectively mitigating malicious traffic while allowing legitimate packets. The TCP SYN flooding protection proves to be highly effective, leading to nearly perfect discrimination between legitimate and malicious traffic. DDD achieves lower average response times than Rate Limiting for legitimate HTTP requests during an HTTP flooding attack. This work contributes a novel QoS-based DDoS defense mechanism, an implementation of this mechanism in OMNeT++, and a comprehensive analysis, positioning DDD as a viable improvement over existing QoS-based DDoS defenses for mitigating network and transport layer DDoS attacks.
