The Internet today continues to be vulnerable to distributed denial of service (DDoS) attacks. We consider the design of a scalable agent-based system for collecting information about the structure and dynamics of DDoS attacks. Our system requires placement of agents on inter-autonomous system (AS) links in the Internet. The agents implement a self-organizing and totally decentralized mechanism capable of reconstructing topological information about the spatial and temporal structure of attacks. The system is effective at recovering DDoS attack structure, even at moderate levels of deployment. In this paper, we demonstrate how careful placement of agents within the system can improve the system's effectiveness and provide better tradeoffs between system parameters and the quality of structural information the system generates. We introduced two agent placement algorithms for our agent-based DDoS system. The first attempts to maximize the percentage of attack flows detected, while the second tries to maximize the extent to which we are able to trace back detected flows to their sources. We show, somewhat surprisingly, these two objectives are concomitant. Placement of agents in a manner which optimizes in the first criterion tends also to optimize with respect to the second criterion, and vice versa. Both placement schemes show a marked improvement over a system in which agents are placed randomly, and thus provide a concrete design process by which to instrument a DDoS flow reconstruction system that is effective at recovering attack structure in large networks at moderate levels of deployment.
[1]
George Varghese,et al.
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
,
2001,
SIGCOMM 2001.
[2]
Anna R. Karlin,et al.
Practical network support for IP traceback
,
2000,
SIGCOMM.
[3]
Virgil D. Gligor.
A Note on Denial-of-Service in Operating Systems
,
1984,
IEEE Transactions on Software Engineering.
[4]
BERNARD M. WAXMAN,et al.
Routing of multipoint connections
,
1988,
IEEE J. Sel. Areas Commun..
[5]
Anna R. Karlin,et al.
Practical network support for IP traceback
,
2000,
SIGCOMM.
[6]
Bill Cheswick,et al.
Tracing Anonymous Packets to Their Approximate Source
,
2000,
LISA.
[7]
Burton H. Bloom,et al.
Space/time trade-offs in hash coding with allowable errors
,
1970,
CACM.
[8]
Bilal Khan,et al.
Quantifying Distributed System Stability through Simulation: A Case Study of an Agent-Based System for Flow Reconstruction of DDoS Attacks
,
2010,
2010 International Conference on Intelligent Systems, Modelling and Simulation.