This Article 
 Bibliographic References 
 Add to: 
Collaborative Detection of DDoS Attacks over Multiple Network Domains
December 2007 (vol. 18 no. 12)
pp. 1649-1662
This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic flow level. The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISP). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the flooding damages to the victim systems serviced by the provider.The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish the mutual trust or consensus. We simulated the DCD system up to 16 network domains on the DETER testbed, a 220-node PC cluster for Internet emulation experiments at USC Information Science Institute. Experimental results show that 4 network domains are sufficient to yield a 98% detection accuracy with only 1% false-postive alarms. Based on a 2006 Internet report on AS (autonomous system) domain distribution, we prove that this DDoS defense systrem can scale well to cover 84 AS domains. This security coverage is wide enough to safeguard most ISP core networks from real-life DDoS flooding attacks.

[1] H. Aljifri, “IP Traceback: A New Denial-of-Service Deterrent,” IEEE Security and Privacy, pp. 24-31, May/June 2003.
[2] T. Anderson et al., “Rocketfuel: An ISP Topology Mapping Engine,” rocketfuel/, 2006.
[3] S. Bellovin, J. Schiller, and C. Kaufman, Security Mechanism for the Internet, IETF RFC 3631, 2003.
[4] T. Benzel et al., “Experience with DETER: A Testbed for Security Research,” Proc. Second IEEE Conf. Testbeds and Research Infrastructures for the Development of Networks and Communities (TridentCom '06), 2006.
[5] R. Blazek et al., “A Novel Approach to Detection of DoS Attacks via Adaptive Sequential and Batch-Sequential Change-Point Detection Methods,” Proc. IEEE Workshop Information Assurance and Security, June 2001.
[6] M. Cai, K. Hwang, J. Pan, and C. Papadupolous, “WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation,” IEEE Trans. Dependable and Secure Computing, vol. 4, no. 2, Apr./June 2007.
[7] G. Carl, G. Kesidis, R. Brooks, and S. Rai, “Denial-of-Service Attack Detection Techniques,” IEEE Internet Computing, Jan./Feb. 2006.
[8] A. Chakrabarti and G. Manimaran, “Internet Infrastructure Security: A Taxonomy,” IEEE Network, Nov. 2002.
[9] S. Chen and Q. Song, “Perimeter-Based Defense against High Bandwidth DDoS Attacks,” IEEE Trans. Parallel and Distributed Systems, vol. 16, no. 6, June 2005.
[10] Y. Chen and K. Hwang, “Collaborative Detection and Filtering of Shrew DDoS Attacks Using Spectral Analysis,” J. Parallel and Distributed Computing, special issue on security in grids and distributed systems, pp. 1137-1151, Sept. 2006.
[11] Y. Chen and K. Hwang, “Collaborative Change Detection of DDoS Attacks on Community and ISP Networks,” Proc. IEEE Int'l Symp. Collaborative Technologies and Systems (CTS '06), May 2006.
[12] X. Dimitropoulos, D. Krioukov, G. Riley, and K. Claffy, “Revealing the Autonomous System Taxonomy: The Machine Learning Approach,” Proc. Passive and Active Measurement Workshop (PAM'06), 2006.
[13] D. Dittrich, “The “Stacheldraft” Distributed Denial of Service Attack Tool,” http://staff.washington.edudittrich/, 2000.
[14] M. Faloutsos, C. Faloutsos, and P. Faloutsos, “On Power-Law Relationships of the Internet Topology,” Proc. ACM SIGCOMM '99, Aug. 1999.
[15] V. Fuller, T. Li, J. Yu, and K. Varadhan, Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy, IETF RFC 1519, 1993.
[16] T. Gil and M. Poletto, “MULTOPS: A Data-Structure for Bandwidth Attack Detection,” Proc. 10th Usenix Security Symp., Aug. 2001.
[17] K. Houle et al., “Trends in Denial of Service Attack Technology,”, 2001.
[18] A. Hussain, J. Heidemann, and C. Papadopoulos, “Identification of Repeated Denial of Service Attacks,” Proc. INFOCOM '06, Apr. 2006.
[19] K. Hwang, M. Cai, Y. Chen, and M. Qin, “Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes,” IEEE Trans. Dependable and Secure Computing, vol. 4, no. 1, pp. 41-55, Jan.-Mar. 2007.
[20] J. Ioannidis and S.M. Bellovin, “Implementing Pushback: Router-Based Defense against DDoS Attacks,” Proc. Network and Distributed System Security Symp. (NDSS '02), Feb. 2002.
[21] ISO 3166 Report, “AS Resource Allocations,” http://bgp.potaroo. net/iso3166ascc.html , 2006.
[22] H. Jiang and C. Dovrolis, “Why Is the Internet Traffic Bursty in Short Time Scales,” Proc. ACM SIGMETRICS '05, June 2005.
[23] J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash Crowds and Denial-of-Service Attacks: Characterization and Implications for CDNs and Web Sites,” Proc. 11th Int'l World Wide Web Conf. (WWW '02), 2002.
[24] S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds,” Proc. Second Symp. Networked Systems Design and Implementation (NSDI '05), May 2005.
[25] S. Kent and R. Atkinson, Security Architecture for the Internet Protocol, IETF RFC 2401, 1998.
[26] Y. Kim, W.C. Lau, M.C. Chuah, and H.J. Chao, “PacketScore: Statistics-Based Overload Control against Distributed Denial of Service Attacks,” Proc. INFOCOM '04, 2004.
[27] T. Law, J. Lui, and D. Yau, “You Can Run, But You Can't Hide: An Effective Statistical Methodology to Trace Back DDoS Attackers,” IEEE Trans. Parallel and Distributed Systems, Sept. 2005.
[28] R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, “Controlling High Bandwidth Aggregates in the Network,” Computer Comm. Rev., July 2002.
[29] J. Mirkovic and P. Reiher, “D-WARD: A Source-End Defense against Flooding DoS Attacks,” IEEE Trans. Dependable and Secure Computing, pp. 216-232, July 2005.
[30] T. Monk and K. Claffy, “Cooperation in Internet Data Acquisition and Analysis,” Proc. Coordination and Administration of the Internet Workshop, (CAIDA Project), http:/, Sept. 1996.
[31] D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity,” Proc. 10th Usenix Security Symp., 2001.
[32] P. Ning, S. Jajodia, and X.S. Wang, “Abstraction-Based Intrusion Detection in Distributed Environment,” ACM Trans. Information and System Security, pp. 407-452, Nov. 2001.
[33] C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govindan, “COSSACK: Coordinated Suppression of Simultaneous Attacks,” Proc. Third DARPA Information Survivability Conf. and Exposition (DISCEX-III '03), pp. 2-13, 2003.
[34] T. Peng, C. Leckie, and K. Ramamohanarao, “Detecting Distributed Denial of Service Attacks by Sharing Distributed Beliefs,” Proc. Eighth Australasian Conf. Information Security and Privacy (ACISP '03), July 2003.
[35] J. Postel, Internet Control Message Protocol, IETF RFC 792, 1981.
[36] S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, “DDoS-Resilient Scheduling to Counter Application Layer Attacks under Imperfect Detection,” Proc. INFOCOM '06, Apr. 2006.
[37] T. Ryutov, L. Zhou, C. Neuman, T. Leithead, and K.E. Seamons, “Adaptive Trust Negotiation and Access Control,” Proc. ACM Symp. Access Control Models and Technologies (SACMAT '05), June 2005.
[38] G. Siganos, M. Faloutsos, P. Faloutsos, and C. Faloutsos, “Power-Laws and the AS-Level Internet Topology,” ACM/IEEE Trans. Networking, pp. 514-524, Aug. 2003.
[39] S.M. Specht and R.B. Lee, “Distributed Denial of Service: Taxonomies of Attacks, Tools and Countermeasures,” Proc. 17th Int'l Conf. Parallel and Distributed Computing Systems (PDCS '04), Sept. 2004.
[40] J. Sommers and P. Barford, “Self-Configuring Network Traffic Generation,” Proc. ACM Internet Measurement Conf. (IMC '04), Oct. 2004.
[41] M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker, “DDoS Defense by Offense,” Proc. ACM SIGCOMM '06, Sept. 2006.
[42] H. Wang, D. Zhang, and K. Shin, “Change-Point Monitoring for the Detection of DoS Attacks,” IEEE Trans. Dependable and Secure Computing, vol. 1, Oct.-Dec. 2004.
[43] X. Wang, S. Chellappan, P. Boyer, and D. Xuan, “On the Effectiveness of Secure Overlay Forwarding Systems under Intelligent Distributed DoS Attacks,” IEEE Trans. Parallel and Distributed Systems, vol. 17, no. 7, July 2006.

Index Terms:
Cyber defense, network security, DDoS attacks, Internet technology
Yu Chen, Kai Hwang, Wei-Shinn Ku., "Collaborative Detection of DDoS Attacks over Multiple Network Domains," IEEE Transactions on Parallel and Distributed Systems, vol. 18, no. 12, pp. 1649-1662, Dec. 2007, doi:10.1109/TPDS.2007.1111
Usage of this product signifies your acceptance of the Terms of Use.