Distributed Defense Against Distributed Denial-of-Service Attacks

Distributed defense is a promising way to neutralize the distributed Denial-of-Service attacks by detecting and responding the attacking sources widespread around the Internet. Components of the distributed defense system will cooperate with each other to combat the attacks. Compared with the centralized defense systems, distributed defense systems can discover the attacks more timely from both source end and victim end, fight the attacks with more resources and take advantage of more flexible strategies. This paper investigates 7 distributed defense systems which make use of various strategies to mitigate the DDoS attacks. Different architectures are designed in these 7 systems to provide distributed DDoS defense solutions. We evaluate these systems in terms of deployment, detection, response, security, robustness and implementation. For each criteria, we give a recommendation on which technologies are best suitable for a successful distributed defense system based on the analysis result. Finally we propose our idea on the design of an effective distributed defense system.

[1]  Wanlei Zhou,et al.  Trace IP packets by flexible deterministic packet marking (FDPM) , 2004, 2004 IEEE International Workshop on IP Operations and Management.

[2]  Jelena Mirkovic,et al.  Alliance formation for DDoS defense , 2003, NSPW '03.

[3]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[4]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM 2002.

[5]  Wanlei Zhou,et al.  Mark-aided distributed filtering by using neural network for DDoS defense , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[6]  Ramesh Govindan,et al.  COSSACK: Coordinated Suppression of Simultaneous Attacks , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[7]  Pekka Nikander,et al.  Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[8]  Hassan Aljifri,et al.  IP Traceback: A New Denial-of-Service Deterrent? , 2003, IEEE Secur. Priv..

[9]  Dan Schnackenberg,et al.  Infrastructure for intrusion detection and response , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[10]  Pasi Eronen,et al.  Denial of service in public key protocols , 2000 .

[11]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[12]  Angelos D. Keromytis,et al.  MOVE: An End-to-End Solution to Network Denial of Service , 2005, NDSS.