ABSTRACT
Currently, there is no effective defense against large-scale distributed denial-of-service (DDoS) attacks. While numerous DDoS defense systems exist that offer excellent protection from specific attack types and scenarios, they can frequently be defeated by an attacker aware of their weaknesses. A necessary requirement for successful DDoS defense is wide deployment, but none of these systems can guarantee wide deployment simply because deployment depends more on market and social aspects than on the technical performance of the system.To successfully handle the DDoS threat we must abandon the current paradigm---the design of defense systems that operate in isolation---and shift toward a new paradigm, a distributed framework of heterogeneous systems that cooperate to achieve an effective defense. Heterogeneity is dictated by two major factors. First, the necessary requirements for a successful defense are detection, response and traffic differentiation. These requirements must be met at disjoint points in the Internet and require a disjoint set of functionalities from the defense systems. Second, heterogeneity is dictated by the current state of the DDoS defense field in which numerous systems exist that can offer similar performance and compete for market share. In this paper we show how the paradigm shift can be accomplished quickly and painlessly through the design of DefCOM, a distributed framework that enables the exchange of information and services between existing defense nodes.
- T. Aura, P. Nikander, and J. Leiwo. DOS-resistant authentication with client puzzles. Lecture Notes in Computer Science, 2133, 2001.]] Google ScholarDigital Library
- S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Department of Computer Engineering, Chalmers University, March 2000.]]Google Scholar
- R. Canonico, D. Cotroneo, L. Peluso, S. P. Romano, and G. Ventre. Programming routers to improve network security. In Proceedings of the OPENSIG 2001 Workshop Next Generation Network Programming, September 2001.]]Google Scholar
- Cisco. Strategies to protect against distributed denial of service attacks, http://www.cisco.com/warp/public/707/newsflash.html.]]Google Scholar
- Cs3, Inc. MANAnet DDoS White Papers. http://www.cs3-inc.com/mananet.html.]]Google Scholar
- A. Garg and A. L. N. Reddy. Mitigation of DoS attacks through QoS regulation. In Proceedings of IWQOS workshop, May 2002.]]Google ScholarCross Ref
- T. M. Gil and M. Poletto. MULTOPS: a data-structure for bandwidth attack detection. In Proceedings of 10th Usenix Security Symposium, August 2001.]] Google ScholarDigital Library
- J. Ioannidis and S. M. Bellovin. Pushback: Router-based defense against DDoS attacks. In Proceedings of NDSS, February 2002.]]Google Scholar
- A. Juels and J. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of the 1999 Networks and distributed system security symposium, March 1999.]]Google Scholar
- A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure overlay services. In Proceedings of SIGCOMM 2002, 2002.]] Google ScholarDigital Library
- A. D. Keromytis, V. Misra, and D. Rubenstein. Using overlays to improve network security. In Proceedings of SPIE ITCom Conference on Scalability and Traffic Control in IP Networks II, July 2002.]]Google ScholarCross Ref
- F. Lau, S. H. Rubin, M. H. Smith, and L. Trajkovic. Distributed denial of service attacks. In IEEE International Conference on Systems, Man, and Cybernetics, pages 2275--2280, Nashville, TN, USA, October 2000.]]Google ScholarCross Ref
- J. Leiwo, P. Nikander, and T. Aura. Towards network denial of service resistant protocols. In Proceedings of the 15th International Information Security Conference, August 2000.]] Google ScholarDigital Library
- J. Li, P. Reiher, and G. Popek. Disseminating Security Updates at Internet Scale. Kluwer Academic Publishers, 2003.]] Google ScholarDigital Library
- J. Lotspiech, S. Nusser, and F. Pestoni. Broadcast encryption's bright future. IEEE Computer, August 2002.]] Google ScholarDigital Library
- R. Mahajan, S. Bellovin, S. Floyd, V. Paxson, and S. Shenker. Controlling high bandwidth aggregates in the network. ACM Computer Communications Review, 32(3), July 2002.]] Google ScholarDigital Library
- McAfee. Personal Firewall. http://www.mcafee.com/myapps/firewall/ov_firewall.asp.]]Google Scholar
- C. Meadows. A formal framework and evaluation method for network denial of service. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, June 1999.]] Google ScholarDigital Library
- J. Mirkovic, G. Prier, and P. Reiher. Attacking DDoS at the source. In Proceedings of the ICNP 2002, November 2002.]] Google ScholarDigital Library
- E. O'Brien. NetBouncer: A practical client-legitimacy-based DDoS defense via ingress filtering. http://www.nai.com/research/nailabs/development-solutions/netbouncer.asp.]]Google Scholar
- C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govindan. COSSACK: Coordinated suppression of simultaneous attacks. In Proceedings of DISCEX III, April 2003. to appear.]]Google Scholar
- K. Park and H. Lee. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In Proceedings of ACM SIGCOMM 2001, August 2001.]] Google ScholarDigital Library
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical network support for IP traceback. In Proceedings of ACM SIGCOMM 2000, August 2000.]] Google ScholarDigital Library
- D. Schnackenberg, K. Djahandari, and D. Sterne. Infrastructure for intrusion detection and response. Advanced Security Research Journal, 3(1), 2001.]]Google Scholar
- C. Schuba, I. Krsul, M. Kuhn, G. Spafford, A. Sundaram, and D. Zamboni. Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, May 1997.]] Google ScholarDigital Library
- J. Shapiro and N. Hardy. EROS: A principle-driven operating system from the ground up. In IEEE Software, pages 26--33, January/February 2002.]] Google ScholarDigital Library
- O. Spatscheck and L. L. Petersen. Defending against denial of service attacks in Scout. In Proceedings of the 3rd Symposium on Operating Systems Design and Implementation, February 1999.]] Google ScholarDigital Library
- Y. L. Zheng and J. Leiwo. A method to implement a denial of service protection base. In Information Security and Privacy, volume 1270 of LNCS, pages 90--101, 1997.]] Google ScholarDigital Library
Index Terms
- Alliance formation for DDoS defense
Recommendations
Survey of network-based defense mechanisms countering the DoS and DDoS problems
This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service ...
DDoS attacks and defense mechanisms: classification and state-of-the-art
Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today's Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With ...
A comprehensive categorization of DDoS attack and DDoS defense techniques
ADMA'06: Proceedings of the Second international conference on Advanced Data Mining and ApplicationsDistributed Denial of Service (DDoS) attack is the greatest security fear for IT managers. With in no time, thousands of vulnerable computers can flood victim website by choking legitimate traffic. Several specific security measurements are deployed to ...
Comments