A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. The Internet is vulnerable to bandwidth distributed denial-of-service (BW-DDoS) attacks, wherein many hosts send a huge number of packets to cause congestion and disrupt legitimate traffic. Bandwidth DDoS (BW DDoS) attacks disrupt net-work infrastructure operation by causing congestion, which is carried out by increasing the total amount of traffic (in bytes) or the total amount of packets (often a lower limit, using short packets such as TCP SYN or ACK carrying no payload). These attacks can cause loss or severe degradation of connectivity between the Inter-net and victim networks or even whole autonomous systems (ASs), possibly disconnecting entire regions of the Internet. So far, BW-DDoS attacks have employed relatively crude, inefficient, brute-force mechanisms; future attacks might be significantly more effective and harmful. To meet the increasing threats, more advanced defenses are necessary.