This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
D-WARD: A Source-End Defense against Flooding Denial-of-Service Attacks
July-September 2005 (vol. 2 no. 3)
pp. 216-232
Defenses against flooding distributed denial-of-service (DDoS) commonly respond to the attack by dropping the excess traffic, thus reducing the overload at the victim. The major challenge is the differentiation of the legitimate from the attack traffic, so that the dropping policies can be selectively applied. We propose D-WARD, a source-end DDoS defense system that achieves autonomous attack detection and surgically accurate response, thanks to its novel traffic profiling techniques, the adaptive response and the source-end deployment. Moderate traffic volumes seen near the sources, even during the attacks, enable extensive statistics gathering and profiling, facilitating high response selectiveness. D-WARD inflicts an extremely low collateral damage to the legitimate traffic, while quickly detecting and severely rate-limiting outgoing attacks. D-WARD has been extensively evaluated in a controlled testbed environment and in real network operation. Results of selected tests are presented in the paper.

[1] J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the Source,” Proc. Int'l Conf. Network Protocols, Nov. 2002.
[2] J. Mirkovic, “D-Ward: Source-End Defense against Distributed Denial-of-Service Attacks,” PhD dissertation, Univ. of California Los Angeles, Aug. 2003, http://lasr.cs.ucla.edu/ddosdward-thesis.pdf .
[3] J. Mirkovic, G. Prier, and P. Reiher, “Challenges of Source-End DDoS Defense,” Proc. Int'l Symp. Network Computing and Applications, Apr. 2003.
[4] P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing,” RFC 2827, May 2000.
[5] R. Mahajan, S. Bellovin, S. Floyd, V. Paxson, and S. Shenker, “Controlling High Bandwidth Aggregates in the Network,” ACM Computer Comm. Rev., vol. 32, no. 3, July 2002.
[6] V. Jacobson, “Congestion Avoidance and Control,” ACM Computer Comm. Rev.; Proc. Sigcomm '88 Symp., vol. 18, no. 4, pp. 314-329, Aug. 1988.
[7] J. Postel, “User Datagram Protocol,” RFC 768, Aug. 1980.
[8] Characterization of Internet Traffic Loads, Segregated by Application, CAIDA, http://www.caida.org/analysis/workload byapplication /, 2002.
[9] C. Schuba, I. Krsul, M. Kuhn, G. Spafford, A. Sundaram, and D. Zamboni, “Analysis of a Denial of Service Attack on TCP,” Proc. 1997 IEEE Symp. Security and Privacy, May 1997.
[10] I.S. Institute, “Transmission Control Protocol,” RFC 793, Sept. 1981
[11] S. Bellovin, “Defending against Sequence Number Attacks,” RFC 1948, May 1996.
[12] G. Prier, “iDward: Implementing D-WARD in the IXP,” Master's thesis, Univ. of California Los Angeles, 2003.
[13] B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar, “An Integrated Experimental Environment for Distributed Systems and Networks,” Proc. Fifth Symp. Operating Systems Design and Implementation, pp. 255-270, Dec. 2002.
[14] Sourceforge, “tcpreplay Tool,” http:/tcpreplay.sourceforge.net/, 2000.
[15] H. Bos, “tcpreplay-Lite Tool,” http://www.cs.vu.nl/~herbertb/miscreplay /, 2004.
[16] DETER/EMIST project Web page, http://www.isi.edudeter, 2004.
[17] NetRanger Overview, Cisco, http://www.cisco.com/univercd/cc/td/doc/ product/iaabu/csids/csids1/csidsugoverview.htm , 2004.
[18] Network Intrusion Detector Overview, Computer Incident Advisory Capability, http://ciac.llnl.gov/cstc/nidintro.html, 2004.
[19] Intrusion Detection Security Products, Internet Security Systems, http://www.iss.net/securing_e-business/security_products/ intrusion_detectionindex.php , 2005.
[20] NFR Sensitivist Intrusion Detection System, NFR Security, http://www.nfr.com/solutionssentivist-ids.php , 2003.
[21] P.G. Neumann and P.A. Porras, “Experience with EMERALD to DATE,” Proc. First USENIX Workshop Intrusion Detection and Network Monitoring, Apr. 1999.
[22] S. Liu, Y. Xiong, and P. Sun, “On Prevention of the Denial of Service Attacks: A Control Theoretical Approach,” Proc. IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, June 2000.
[23] R. Thomas, T. Johnson, J. Croall, and B. Mark, “NetBouncer: Client-legitimacy-based High-performance DDoS Filtering,” McAfee Security J., vol. 6, no. 1, 2004.
[24] Mazu Technical White Papers, Mazu Networks, http://www. mazunetworks.com/solutionswhite_papers /, 2005.
[25] The Peakflow Platform, Arbor Networks, http:/www. arbornetworks.com, 1999.
[26] A. Juels and J. Brainard, “Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks,” Proc. 1999 Networks and Distributed System Security Symp., Mar. 1999.
[27] Y.L. Zheng and J. Leiwo, “A Method to Implement a Denial of Service Protection Base,” Information Security and Privacy, 1997.
[28] O. Spatscheck and L.L. Petersen, “Defending against Denial of Service Attacks in Scout,” Proc. Third Symp. Operating Systems Design and Implementation, Feb. 1999.
[29] A. Garg and A.L. N. Reddy, “Mitigation of DoS Attacks through QoS Regulation,” Proc. IWQOS Workshop, May 2002.
[30] F. Lau, S.H. Rubin, M.H. Smith, and L. Trajkovic, “Distributed Denial of Service Attacks,” Proc. IEEE Int'l Conf. Systems, Man, and Cybernetics, pp. 2275-2280, Oct. 2000.
[31] A.D. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure Overlay Services,” Proc. SIGCOMM 2002, 2002.
[32] J. Mirkovic, M. Robinson, and P. Reiher, “Forming Alliance for DDoS Defenses,” Proc. New Security Paradigmes Workshop, Aug. 2003.
[33] C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govindan, “Cossack: Coordinated Suppression of Simultaneous Attacks,” Proc. DARPA Information Survivability Conf. and Exposition (DISCEX) III, 2003.
[34] R. Canonico, D. Cotroneo, L. Peluso, S.P. Romano, and G. Ventre, “Programming Routers to Improve Network Security,” Proc. OPENSIG 2001 Workshop Next Generation Network Programming, Sept. 2001.
[35] D. Schnackenberg, K. Djahandari, and D. Sterne, “Infrastructure for Intrusion Detection and Response,” Advanced Security Research J., vol. 3, no. 1, 2001.
[36] MANAnet DDoS White Papers, Cs3. Inc, http://www. cs3-inc.commananet.html, 2002.
[37] T. Peng, C. Leckie, and K. Ramamohanarao, “Defending against Distributed Denial of Service Attack Using Selective Pushback,” Proc. Ninth IEEE Int'l Conf. Telecomm. (ICT 2002), 2002.
[38] T.M. Gil and M. Poletto, “MULTOPS: A Data-Structure for Bandwidth Attack Detection,” Proc. 10th Usenix Security Symp., Aug. 2001.

Index Terms:
Index Terms- Network-level security and protection, network monitoring, fault tolerance.
Citation:
Jelena Mirkovic, Peter Reiher, "D-WARD: A Source-End Defense against Flooding Denial-of-Service Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 3, pp. 216-232, July-Sept. 2005, doi:10.1109/TDSC.2005.35
Usage of this product signifies your acceptance of the Terms of Use.