Max Robinson Jelena Mirković DR. Peter Reiher

1. DefCOM Defensive Cooperative Overlay Mesh Max Robinson Jelena Mirković DR. Peter Reiher • Motivation • Distributed denial-of-service attacks require a distributed solution. • Detection is more effective closer to the victim network. • Response is more selective closer to the source. • Good coverage with a few deployment points in intermediate network. • Idea • Combine diverse defense systems for cooperative response. • Additional benefits • Wide deployment is achieved by accommodating legacy systems. • Defense nodes can specialize in those functions they can do best. • Through communication, the strengths of specialists can address challenges for other nodes. attacker client client attacker client victim attacker client attacker Distributed Peer-to-Peer Network for DDoS Defense • All nodes in the peer network cooperate to give preferential service to legitimate traffic and constrain the attack by: • Deploying secure packet stamping – each node defines its legitimate and monitored stamp. Classifier nodes mark legitimate packets with legitimate stamps, and the rest of traffic with monitored stamps. Core nodes rewrite these stamps. Any unmarked packets reaching core nodes will be stamped as monitored if they pass the rate-limit. • Serving packets in three service levels – A core node apportions its bandwidth first to packets bearing legitimate stamps, then to packets bearing monitored stamps and any leftover to unstamped traffic. • DefCOM is a peer-to-peer network of defense nodes that exchange information and services to perform cooperative DDoS defense. • Three types of nodes: • Alert generator nodes – detect the attack and alert the rest of the peer network • Core nodes – perform simple rate-limiting • Classifier nodes – differentiate between legitimate traffic and attack traffic, forward legitimate packets and severely rate-limit attack packets attacker client attacker client client client classifier classifier attacker attacker client client core core victim victim Attack detected! alert generator alert generator attacker attacker classifier classifier client client attacker attacker Alert generators detect the attack, send alerts to all peers in the network. Nodes forward alerts to their neighbors, yet avoid cycles. Nodes stamp packets that they forward to the victim. When a node detects a packet with its neighbor’s stamp, this neighbor becomes the node’s child. The node sends a “parent” message to its children. attacker client attacker client client client classifier classifier attacker attacker client client core core victim victim Rate limit N/2 Bps Rate limit N/2 Bps Rate limit N Bps attacker alert generator attacker alert generator classifier classifier client client attacker attacker Nodes with parents/children form a traffic tree. Nodes on the tree cooperate to stop the attack. Rate-limits are propagated from the root to the leaves. Parents divide their rate-limits among their children. Classifiers block attack traffic and forward traffic bearing legitimate stamps. Core nodes overwrite these stamps, and mark any unstamped traffic with monitored stamps. Each node dedicates bandwidth first to legitimate, then to monitored, and last to unstamped traffic.