Collaborative Detection of DDoS Attacks over Multiple Network Domains

This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic-flow level The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISPs). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at the gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the floe cling damages to the victim systems serviced by the provider. The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish mutual trust or consensus. We simulated the DCD system up to 16 network domains on the Cyber Defense Technology Experimental Research (DETER) testbed, a 220-node PC cluster for Internet emulation experiments at the University of Southern California (USC) Information Science Institute. Experimental results show that four network domains are sufficient to yield a 98 percent detection accuracy with only 1 percent false-positive alarms. Based on a 2006 Internet report on autonomous system (AS) domain distribution, we prove that this DDoS defense system can scale well to cover 84 AS domains. This security coverage is wide enough to safeguard most ISP core networks from real-life DDoS flooding attacks.

[1]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[2]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[3]  Kotagiri Ramamohanarao,et al.  Detecting Distributed Denial of Service Attacks by Sharing Distributed Beliefs , 2003, ACISP.

[4]  David K. Y. Yau,et al.  You can run, but you can't hide: an effective statistical methodology to trace back DDoS attackers , 2005, IEEE Transactions on Parallel and Distributed Systems.

[5]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[6]  Mooi Choo Chuah,et al.  Packetscore: statistics-based overload control against distributed denial-of-service attacks , 2004, IEEE INFOCOM 2004.

[7]  Dmitri V. Krioukov,et al.  Revealing the Autonomous System Taxonomy: The Machine Learning Approach , 2006, ArXiv.

[8]  Hao Jiang,et al.  Why is the internet traffic bursty in short time scales? , 2005, SIGMETRICS '05.

[9]  JajodiaSushil,et al.  Abstraction-based intrusion detection in distributed environments , 2001 .

[10]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[11]  John S. Heidemann,et al.  Identification of Repeated Denial of Service Attacks , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[12]  Ratul Mahajan,et al.  Measuring ISP topologies with rocketfuel , 2002, TNET.

[13]  Michael Walfish,et al.  DDoS defense by offense , 2006, TOCS.

[14]  Sushil Jajodia,et al.  Abstraction-based intrusion detection in distributed environments , 2001, TSEC.

[15]  Paul Barford,et al.  Self-configuring network traffic generation , 2004, IMC '04.

[16]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[17]  Li Zhou,et al.  Adaptive trust negotiation and access control , 2005, SACMAT '05.

[18]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[19]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[20]  Jianping Pan,et al.  WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation , 2007, IEEE Transactions on Dependable and Secure Computing.

[21]  kc claffy,et al.  Cooperation in Internet data acquisition and analysis , 1997 .

[22]  Supranamaya Ranjan,et al.  DDoS-Resilient Scheduling to Counter Application Layer Attacks Under Imperfect Detection , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[23]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[24]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[25]  Dongho Kim,et al.  Experience with DETER: a testbed for security research , 2006, 2nd International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006..

[26]  Ratul Mahajan,et al.  Controlling High Bandwidth Aggregates in the Network (Extended Version) , 2001 .

[27]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[28]  Hassan Aljifri,et al.  IP Traceback: A New Denial-of-Service Deterrent? , 2003, IEEE Secur. Priv..

[29]  Ramesh Govindan,et al.  COSSACK: Coordinated Suppression of Simultaneous Attacks , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[30]  G. Manimaran,et al.  Internet infrastructure security: a taxonomy , 2002, IEEE Netw..

[31]  Shigang Chen,et al.  Perimeter-based defense against high bandwidth DDoS attacks , 2005, IEEE Transactions on Parallel and Distributed Systems.

[32]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[33]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[34]  Kai Hwang,et al.  Collaborative Change Detection of DDoS Attacks on Community and ISP Networks , 2006, International Symposium on Collaborative Technologies and Systems (CTS'06).

[35]  Kai Hwang,et al.  Collaborative detection and filtering of shrew DDoS attacks using spectral analysis , 2006, J. Parallel Distributed Comput..

[36]  T. Monk,et al.  What's next for Internet data analysis? Status and challenges facing the community , 1997 .

[37]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.

[38]  Vince Fuller,et al.  Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy , 1993, RFC.

[39]  Jon Postel,et al.  Internet Control Message Protocol , 1981, RFC.

[40]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[41]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[42]  Michalis Faloutsos,et al.  Power laws and the AS-level internet topology , 2003, TNET.

[43]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[44]  Xun Wang,et al.  On the effectiveness of secure overlay forwarding systems under intelligent distributed DoS attacks , 2006, IEEE Transactions on Parallel and Distributed Systems.