We propose a system that is located at the source network router (either LAN or border router) that autonomously detects and suppresses DDoS flows originating at this network. This system observes the outgoing and incoming traffic and gathers lightweight statistics on the flows, classified by destination. These statistics, along with built-in traffic models, define legitimate traffic patterns. Any discrepancy between observed traffic and a legitimate traffic pattern for a given destination is considered to be the signal of a potential DDoS attack. The source router then decides to throttle all traffic to the suspected target of the attack and at the same time attempts to separate attacking flows from legitimate flows and identify the attacking machines. This approach has the benefit of preventing malicious flows from entering the network and consuming resources. As the part of our future work, we will investigate the possibility of also deploying this system on the core routers.
D-WARD is funded under DARPA contract N66001-01-1-8937. Thanks to a funds and equipment grant from the Intel Corporation we have an opportunity to use Intel's IXP equipment to combat DDoS attacks in routers close to attack sources.
Jelena Mirkovic, former graduate student, now at University of Delaware
Peter Reiher, principal investigator
Greg Prier, graduate student
Scott Michel, graduate student
Jun Li, former graduate student, now at University of Oregon.
Source Code Release:
If you have any questions or suggestions, do not hesitate to contact us.
Total visits since 12/01/2002.