The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.08 - August (2008 vol.57)
pp: 1098-1112
Jelena Mirkovic , USC Information Sciences Institute, Marina Del Rey
Peter Reiher , UCLA, Los Angeles
Christos Papadopoulos , Colorado State University, Fort Collins
Alefiya Hussain , SPARTA, Inc., El Segundo
Marla Shepard , BBN Technologies, Cambridge
Michael Berg , Sandia National Laboratories, Albuquerque
Robert Jung , Sandia National Laboratories, Albuquerque
ABSTRACT
Testing security systems is challenging because a system's authors have to play the double role of attackers and defenders. Red Team/Blue Team exercises are an invaluable mechanism for security testing. They partition researchers into two competing teams of attackers and defenders, enabling them to create challenging and realistic test scenarios. While such exercises provide valuable insight into vulnerabilities of security systems, they are very expensive and thus rarely performed. In this paper we describe a Red Team/Blue Team exercise, sponsored by DARPA's FTN program, and performed October 2002 --- May 2003. The goal of the exercise was to evaluate a collaborative DDoS defense, comprised of a distributed system, COSSACK, and a stand-alone defense, D-WARD. The role of the Blue Team was played by developers of the tested systems from USC/ISI and UCLA, the Red Team included researchers from Sandia National Laboratory, and all the coordination, experiment execution, result collection and analysis was performed by the White Team from BBN Technologies. This exercise was of immense value to all involved --- it uncovered significant vulnerabilities in tested systems, pointed out desirable characteristics in DDoS defense systems (e.g., avoiding reliance on timing mechanisms), and taught us many lessons about testing of DDoS defenses.
INDEX TERMS
Network-level security and protection, Testing, Certification, and Licensing
CITATION
Jelena Mirkovic, Peter Reiher, Christos Papadopoulos, Alefiya Hussain, Marla Shepard, Michael Berg, Robert Jung, "Testing a Collaborative DDoS Defense In a Red Team/Blue Team Exercise", IEEE Transactions on Computers, vol.57, no. 8, pp. 1098-1112, August 2008, doi:10.1109/TC.2008.42
REFERENCES
[1] W.W. Gibbs, “Red Team versus the Agents,” ScientificAmerican. com, Dec. 2000.
[2] D. Levin, “Lessons Learned Using Live Red Teams in IA Experiments,” Proc. Third DARPA Information Survivability Conf. and Exposition, 2003.
[3] C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govindan, “COSSACK: Coordinated Suppression of Simultaneous Attacks,” Proc. Third DARPA Information Survivability Conf. and Exposition, pp. 2-13, 2003.
[4] J. Mirkovic and P. Reiher, “D-WARD: A Source-End Defense Against Flooding Denial-of-Service Attacks,” IEEE Trans. Dependable and Secure Computing, vol. 2, no. 3, pp. 216-232, July-Sept. 2005.
[5] P. Ferguson and D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing, IETF RFC 2267, 1998.
[6] YOID Homepage, Information Sciences Inst., http://www.isi. edu/div7yoid, 2008.
[7] CISCO IOS Netflow. CISCO, http://www.cisco.com/en/US/ products/ps6601 products_ios_protocol_group_home.html , 2008.
[8] “Snort,” Snort.org, http:/www.snort.org/, 2008.
[9] “Skaion Traffic Generation System,” S. Corp., http://www.skaion.com/productsindex.html , 2008.
[10] M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker, “DDoS Defense by Offense,” Proc. ACM SIGCOMM '06, Sept. 2006.
[11] J. Mirkovic, A. Hussain, B. Wilson, S. Fahmy, P. Reiher, R. Thomas, W. Yao, and S. Schwab, “Towards User-Centric Metrics for Denial-of-Service Measurement,” Proc. Workshop Experimental Computer Science, June 2007.
[12] A. Kuzmanovic and E.W. Knightly, “Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants),” Proc. ACM SIGCOMM '03, Aug. 2003.
[13] C. Schuba, I. Krsul, M. Kuhn, G. Spafford, A. Sundaram, and D. Zamboni, “Analysis of a Denial of Service Attack on TCP,” Proc. IEEE Symp. Security and Privacy, May 1997.
[14] nmap Security Scanner, InSecure.org, http:/www.insecure.org/, 2008.
[15] T. Benzel, R. Braden, D. Kim, C. Neuman, A. Joseph, K. Sklower, R. Ostrenga, and S. Schwab, “Experiences with DETER: A Testbed for Security Research,” Proc. Second Int'l IEEE/Create-Net Conf. Testbeds and Research Infrastructures for the Development of Networks and Communities, Mar. 2006.
16 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool