Cooperative Defence Against DDoS Attacks

Distributed denial of service (DDoS) attacks on the Internet have become an immediate problem. As DDoS streams do not have common characteristics, currently available intrusion detection systems (IDS) cannot detect them accurately. As a result, defend DDoS attacks based on current available IDS will dramatically affect legitimate traffic. In this paper, we propose a distributed approach to defend against distributed denial of service attacks by coordinating across the Internet. Unlike traditional IDS, we detect and stop DDoS attacks within the intermediate network. In the proposed approach, DDoS defence systems are deployed in the network to detect DDoS attacks independently. A gossip based communication mechanism is used to exchange information about network attacks between these independent detection nodes to aggregate information about the overall network attacks observed. Using the aggregated information, the individual defence nodes have approximate information about global network attacks and can stop them more effectively and accurately. To provide reliable, rapid and widespread dissemination of attack information, the system is built as a peer to peer overlay network on top of the internet. ACM Classification: C.2(Computer-Communication Networks), D.2(Software Engineering)

[1]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[2]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[3]  Riccardo Bettati,et al.  A Gateway-based Defense System for Distributed DoS Attacks in High-Speed Networks , 2001 .

[4]  Robbert van Renesse,et al.  Astrolabe: A robust and scalable technology for distributed system monitoring, management, and data mining , 2003, TOCS.

[5]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[6]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[7]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[8]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[9]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[10]  Ramesh Govindan,et al.  COSSACK: Coordinated Suppression of Simultaneous Attacks , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[11]  Indranil Gupta,et al.  Fighting fire with fire: using randomized gossip to combat stochastic scalability limits , 2002 .

[12]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[13]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[14]  Richard M. Karp,et al.  Randomized rumor spreading , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[15]  Angelos D. Keromytis,et al.  Using overlays to improve network security , 2002, SPIE ITCom.

[16]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[17]  Jelena Mirkovic,et al.  Alliance formation for DDoS defense , 2003, NSPW '03.

[18]  Srinivasan Seshan,et al.  Detecting DDoS Attacks on ISP Networks , 2003 .

[19]  Keith Marzullo,et al.  Directional Gossip: Gossip in a Wide Area Network , 1999, EDCC.

[20]  Anne-Marie Kermarrec,et al.  Epidemic information dissemination in distributed systems , 2004, Computer.

[21]  Kihong Park,et al.  Scalability and traffic control in IP networks , 2001, Computer Communications.