George Oikonomou
University of Delaware
USA

Jelena Mirkovic
University of Delaware
USA

Peter Reiher
UCLA
USA

Max Robinson
The Aerospace Corporation
USA

Flooding distributed denial-of-service (DDoS) attacks are a top
security threat for critical Internet services.
The distributed nature of DDoS suggests that a distributed defense mechanism
is necessary.
Three main defense functionalities --- attack detection, rate limiting
and traffic differentiation ---
are most effective when performed at the victim-end, core and source-end respectively.
Secure collaboration between defenses at different locations would
allow them to complement their weaknesses with strengths of other participants,
achieving better, synergistic defense.

Many existing systems are successful in one aspect of defense, such as
attack detection, traffic differentiation or distributed defense in a specific
scenario, but none offers a comprehensive solution and none has seen a
wide deployment. We propose to harvest the strengths of existing defenses
by organizing them into a collaborative overlay, called DefCOM,
and augmenting them with communication
and collaboration functionalities. Nodes collaborate
during the attack to spread alerts and recognize and protect legitimate
traffic,
while rate limiting the attack. DefCOM can accommodate many existing
defenses, provide synergistic response to attacks and naturally lead to an Internet-wide response
to DDoS threat.

Keywords: DDoS, distributed defense, flooding, collaborative defense

Read Paper (in PDF)