Issue No. 12 - December (2007 vol. 18)
This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic flow level. The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISP). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the flooding damages to the victim systems serviced by the provider.The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish the mutual trust or consensus. We simulated the DCD system up to 16 network domains on the DETER testbed, a 220-node PC cluster for Internet emulation experiments at USC Information Science Institute. Experimental results show that 4 network domains are sufficient to yield a 98% detection accuracy with only 1% false-postive alarms. Based on a 2006 Internet report on AS (autonomous system) domain distribution, we prove that this DDoS defense systrem can scale well to cover 84 AS domains. This security coverage is wide enough to safeguard most ISP core networks from real-life DDoS flooding attacks.
Cyber defense, network security, DDoS attacks, Internet technology
Y. Chen, K. Hwang and W. Ku., "Collaborative Detection of DDoS Attacks over Multiple Network Domains," in IEEE Transactions on Parallel & Distributed Systems, vol. 18, no. , pp. 1649-1662, 2007.