D-WARD:

DDoS Network Attack Recognition and Defense

Today's routers offer a best-effort service: they forward all traffic toward destinations, attempting to deliver fast and fair service to all flows. Policing, reliability, and rate-control mechanisms are therefore left to be deployed by higher layers at end hosts. This feature has been misused in distributed denial-of-service attacks, where many compromised hosts simultaneously generate excessive traffic to a victim. The number of received packets overwhelms the target, consuming its resources and rendering its services unavailable. Many attempts have been made to design systems that help identify attacking machines and stop malicious flows. Most of these systems are located on the target side (either at the victim host or somewhere in the target network), which facilitates easy detection of the problem and possible characterization of the attack signature. However, they are ineffective in stopping the attack because they require the cooperation of upstream routers to push back the attacking flows. Other proposed systems are located in the network between the attacking machines and the victim. These identify and throttle attacking flows, autonomously or acting on a signal from the victim. They require significant changes in core routers and still do not prevent malicious flows from using network resources.

We propose a system that is located at the source network router (either LAN or border router) that autonomously detects and suppresses DDoS flows originating at this network. This system observes the outgoing and incoming traffic and gathers lightweight statistics on the flows, classified by destination. These statistics, along with built-in traffic models, define legitimate traffic patterns. Any discrepancy between observed traffic and a legitimate traffic pattern for a given destination is considered to be the signal of a potential DDoS attack. The source router then decides to throttle all traffic to the suspected target of the attack and at the same time attempts to separate attacking flows from legitimate flows and identify the attacking machines. This approach has the benefit of preventing malicious flows from entering the network and consuming resources. As the part of our future work, we will investigate the possibility of also deploying this system on the core routers.

D-WARD is funded under DARPA contract N66001-01-1-8937. Thanks to a funds and equipment grant from the Intel Corporation we have an opportunity to use Intel's IXP equipment to combat DDoS attacks in routers close to attack sources.

Project Members:

Jelena Mirkovic, former graduate student, now at University of Delaware
Peter Reiher, principal investigator
Greg Prier, graduate student
Scott Michel, graduate student
Jun Li, former graduate student, now at University of Oregon.

Source Code Release:

dward.tgz
If you are runniing D-WARD or have any questions, we would like to know. E-mail us at dward@lever.cs.ucla.edu

Publications:

J. Mirkovic, D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks, Ph.D. Thesis
J. Mirkovic, G. Prier and P. Reiher, Attacking DDoS at the Source, Proceedings of ICNP 2002, pp. 312-321, Paris, France, November 2002.
Attacking DDoS at the Source - Presentation at ICNP 2002
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms - UCLA CSD Technical Report no. 020018
PhD Proposal "D-WARD: DDoS Network Attack Recognition and Defense"
Presentation for PhD Proposal
Source Router Approach to DDoS Defense - Presentation for Usenix Security Symposium 2001 Work In Progress Session
Source Router Approach to DDoS Defense - UCLA CSD Technical Report no. 010042
See also the D-WARD related project publications.

Traces:

Sanitized UCLA CSD traffic traces

Contact:

If you have any questions or suggestions, do not hesitate to contact us.

Total visits since 12/01/2002.