1. Introduction
Denial of Service (DoS) and Distributed DoS (DDoS) attacks are serious threats in the Internet. For instance, some of the root DNS servers were suffered from massive DDoS attacks and could not provide the service, in October 2002. Recent times have seen the emergence of a more sophisticated attack called Distributed Reflection DoS (DRDoS) attack [1]–[4]. DRDoS attack uses legitimate hosts called “reflectors” to send a large number of packets to a victim by using IP spoofing. Since a DRDoS attacker can exploit a host as a reflector if the attacker knows the host's IP address, the attacker can easily use a large number of reflectors. This results that the impact of attacks and the number of attack paths are increased compared with traditional DDoS. A case of DRDoS attack was seen in January 2002 when Gibson research cooperation network was attacked by DRDoS packets resulting service interruption for several hours [1]. Hundreds of legitimate hosts were used as reflectors and about 1 billion packets were filtered until the attack was halted.