Distributed Defense Against DDoS Attacks

NSF Grant: CNS-016528-001 (Sep 2004 to Aug 2007)
University of Delaware PI:  Jelena Mirkovic
UCLA PI:  Peter Reiher (Laboratory for Advanced Systems Research)

DefCOM  is a three-year NSF-funded collaborative research grant with the Professor Jelena Mirkovic and the University of Delaware.  Under this grant, the LASR lab shall demonstrate that an effective defense against flooding distributed denial-of-servicer (DDoS) attacks, and collatoral damage can be achieved practically through a sparse deploymet of an overlay network of defense nodes.

Many critical funstions today are realized through the use of network services, and DDoS attacks represent a major threat to network operations.  They overwhelm a key resource at the victim network, generating a flood of seemingly legitimate packets, deny services to legitimate clients and frequently create heavy Internet congestion.  Attackers need not possess any particular skill to perpetrate DDoS attacks, and face virtually no risk of attribution.  In spite of numerous research and commercial efforts, there are still no effective DDoS defenses.

DefCOM, our distributed DDoS defense system, will distribute nodes throughout the Internet (organized into peer-to-peer overlays) and will act jointly to detect and respond to DDoS attacks.  Attack resonse is twofold:  on one hand, defense nodes constrain susicious traffic, relieving the victim from high-volume incoming streams that consume resources; on the other hand, nodes cooperate to detect legitimate traffic within the suspicious streams and ensure its correct delivery.  Thus, DefCOM achieves the primary goal of DDoS defense -- that of cancelling the denial-of-service effect.  Additionally, the system has a solid economic model where networks deploying defense nodes directly benefit from their operation.  DefCOM further offers a framework for existing security systems to join the overlay and cooperate in the defense.  These features create an excellent motivation for wide deployment and the possibility of a large impact on the DDoS threat.