Distributed Defense

Exiting research on DDoS falls into three categories: detection of attack, source find- ing, and attack traffic control. In fact, these are three phases to an attack defense for an efficient DDoS defense system. In this section, we compare and contrast tech- niques used in our framework with other existing distributed frameworks based on the above three phases.

Y. Jing et al. [26] recently proposed an overlay-based distributed defense frame- work when attacks are detected at the victim end. Unfortunately, the authors do not explain the detection technique very clearly. During source finding, the Source Path Isolation Engine (SPIE) traceback technique is used. To control attack traffic at source ends, the authors try to combine the history of a flow into a rate limit calculation by defining a reputation argument. This framework has a few obvious faults. The realization of the framework needs a relatively huge modification of cur- rent networks. The complex communication mechanism between the over-layer and physical network, and frequent data commutation between a data center (Defense Service Provider) and the victim end to support SPIE traceback are not realistic when the victim is under a heavy attack. Moreover, a spoofing DDoS attack can make the flow-based rate limit algorithm out of work. In our framework, a smaller extension of routers is needed and only for the FIT technique. The FIT technique is a much better choice than SPIE based on Yaar’s [15] explanation. Finally, spoofing attacks have no deleterious effects on our distance-based rate limit algorithm.

A distributed detection and response scheme is proposed by H.-Y Lam et al. [28]. A Stub Agent (SA) deployed in a local ISP network detects anomalous changes of the traffic rate by using the cumulative sum (CUSUM) [34]. Source-end SAs and

CHAPTER 3. RELATED WORK 37

transit network agents (TA) lower attack traffic in the network by setting different rate limits. Unfortunately, DDoS detection based on disproportionate TCP packet rates cannot cover proportional attacks, attacks with randomized forged IP addresses originating from a single machine, and attacks that use many agents. Furthermore, rate limiting at core routers definitely lowers the performance of the whole network. The entire scheme lacks an effective method to reconstruct the attack path when a spoofing attack happens. A more serious problem is collateral damage for legitimate traffic. The two distance-based DDoS detection techniques of our framework work well under these DDoS attacks in the distance-based DDoS defense system at the victim end. Based on the distance-based rate limit mechanism, distance-based DDoS defense systems at the source ends can efficiently control attack traffic to maintain QoS for legitimate traffic with less collateral damage .

DefCOM [29] is a distributed cooperative system for DDoS defense developed by J. Mirkovic et al.. In DefCOM’s dynamically-built overlay peer-to-peer network, nodes communicate with each other to defend an attack cooperatively. The DefCOM overlay consists of three types nodes: alert generators, classifiers, and rate-limiters. Alert generator nodes collect detection information from physical nodes and flood alert messages to all other overlay nodes. Classifier nodes differentiate between le- gitimate and attack packets. Rate-limiter nodes control attack traffic at source-end routers. While fighting a DDoS attack, all nodes communicate with each other by flooding messages every six seconds. Frequent communication among a huge number of defense nodes has very high risk to be utilized by attackers to attack the DefCOM system itself. Furthermore, the classifier will not work for current DDoS attack traffic because of no distinct signature. In contrast, we use a relatively simple cooperative

CHAPTER 3. RELATED WORK 38

mechanism between the distance-based DDoS defense system and ones at source ends to avoid unnecessary message broadcasting. Our distance-based attack traffic control mechanism provides higher performance on traffic with more coarse granularity in the situation where flow-based DefCOM classifier nodes may not work.

G. Zhang and M. Parashar [31] propose and evaluate a novel distributed frame- work on the overlay network. In the new scheme, an attack defense system is deployed in intermediate networks. A intermediate network is a network to connect multiple autonomous systems. To forward a huge volume of traffic among multiple autonomous systems, an intermediate network usually consists of high-speed routers. After these routers spend their most resources to forward traffic, they do not have enough re- sources to support complex DDoS defense strategies. Furthermore, the framework reacts to a DDoS attack slowly due to lack of efficient source finding techniques. In our framework, the FIT technique supports fast reaction in source-end edge routers after detecting DDoS attacks at the victim end. Relatively complex defense mecha- nisms can get enough resources at edge routers because of light traffic load.

COSSACK [32], proposed by Christos Papadopoulos et al., is a cooperative DDoS suppression framework. Rather than observing traffic in the core network, COSSACK focuses on detecting the changes of traffic at the egress/ingress point of an individual edge network. An watchdog forwards attack information over an overlay distribution tree spanning all the participant watchdog systems. Source-end watchdog systems use the existing technique (D-WARD [39]) to set rate limit for attack traffic. One of the serious disadvantages of COSSACK is that spoofing DDoS attacks are not addressed. Unfortunately, spoofing source addresses is a basic feature for current DDoS attacks. Second, multicast mechanism used for alert message broadcasting limits COSSACK’s

CHAPTER 3. RELATED WORK 39

scalability. Last, COSSACK uses different detection techniques at the source and victim ends. This definitely makes the cooperative mechanism more complex and its reaction slower because detection results from the source-end detection technique have no connection to attack reality at the victim end. In our framework, relatively clear functional separation between victim-end and source-end systems helps expedite the reaction to a DDoS attack. The simple cooperative mechanism makes the framework scale to a large network with less cost.

Unlike other distributed DDoS defense systems, T. Pang et al. [33] propose a distributed framework which works well under high-distributed DDoS attacks. A history-based IP filtering scheme is globally deployed in edge routers, and history information decides whether to admit a packet. However, there does not exist an effective cooperative mechanism among the edge router filtering systems. Therefore, efficient reaction is not possible. Furthermore, the filtering-based scheme works badly under current attacks due to an unclear attack signature. Therefore, collateral damage for legitimate traffic will be inflicted at edge routers. Our framework can quickly react to DDoS attacks based on an efficient cooperative mechanism. The distance-based rate limit mechanism decreases collateral damage for legitimate traffic.

K.K.K. Wan et al. [27] propose a global defense infrastructure (GDI). Fully con- figured local detection systems (LDSes) are deployed where most cross-domain traffic will pass through. After receiving alert messages, LDSes decide whether to filter a packet. Unfortunately, the multiple-level traffic filtering mechanism definitely in- creases the risk of inflicting collateral damage on legitimate traffic. In addition, the attack detection process at cross-domain slows down the sending rate of legitimate traffic. Finally, GDI needs huge memories at routers to store huge traffic data. In

CHAPTER 3. RELATED WORK 40

contrast, our distance-based detection techniques and rate limit mechanism do not need to save huge history data.

In the pushback technique proposed by Floyd et al. [30], a downstream router coordinates with upstream routers and requires them to control attack traffic which is leading to downstream router congestion. Basically, the pushback technique is di- vided into two parts: a local aggregate congestion control (ACC) and a cooperative pushback mechanism. A local ACC detect and control flows that create congestion of traffic using its own rate limit technique. Under a severe attack, a local ACC will send pushback messages to upstream routers to require them to control their traffic. As we mentioned in Section 3.2.2, in our framework, distance-based rate limit mecha- nism creates less collateral damage for legitimate traffic than the pushback technique. Furthermore, the pushback technique needs to broadcast pushback messages along an attack path from a victim to a source-end defense system. The procedure is very time consuming. In contrast, our framework can directly send alert messages to source-end defense systems because we use the FIT technique. The FIT technique can directly find the attack sources after analyzing attack traffic received at the victim. “Pushback is considered one of most promising techniques to defend against DDoS attacks” [70]. Therefore, we compare our framework with the pushback technique in this thesis.

3.4

Summary

Existing DDoS detection techniques are mainly categorized into two types: DDoS detection based on analysis of IP attributes and DDoS detection based on traffic volume. The problems in current detection techniques are as follows:

CHAPTER 3. RELATED WORK 41

the detection schemes ineffective.

2. The time to reveal the anomalous conditions is too long due to complex computations.

To respond to a DDoS attack, packet filtering tries to filter out attack traffic based on DDoS attack signatures. However, it is hard to get attack signatures for current DDoS attacks because attack traffic is similar to normal traffic. Another problem with packet filtering techniques is collateral damage for legitimate traffic. In contrast, recent studies show that rate limit techniques can mitigate an attack effectively by setting up fitting rate limits on attack traffic. At the same time, it will not lead to serious collateral damage for legitimate traffic.

After analyzing existing frameworks, we have found three types of DDoS frame- works: victim-end defense frameworks, source-end defense frameworks, and distributed defense frameworks. It is too late for victim-end defense frameworks to respond to DDoS attacks. A source-end defense framework cannot achieve good performance due to lack of attack information. In contrast, a distributed framework can achieve better performance by cooperating among distributed multiple defense subsystems. A number of studies show that distributed DoS problem indeed needs a distributed solution.

In the next chapter, we will present in detail our proposed distance-based DDoS defense framework.