Max Robinson Jelena Mirkovic DR. Peter Reiher

1
DefCOM
Defensive Cooperative Overlay Mesh
Max Robinson Jelena Mirkovic
DR. Peter Reiher

• Motivation
• Distributed denial-of-service attacks require a
  distributed solution.
• Detection is more effective closer to the victim
  network.
• Response is more selective closer to the source.
• Good coverage with a few deployment points in
  intermediate network.
• Idea
• Combine diverse defense systems for cooperative
  response.
• Additional benefits
• Wide deployment is achieved by accommodating
  legacy systems.
• Defense nodes can specialize in those functions
  they can do best.
• Through communication, the strengths of
  specialists can address challenges for other
  nodes.

attacker
client
client
attacker
client
victim
attacker
client
attacker
Distributed Peer-to-Peer Network for DDoS Defense

• All nodes in the peer network cooperate to give
  preferential service to legitimate traffic and
  constrain the attack by
• Deploying secure packet stamping each node
  defines its legitimate and monitored stamp.
  Classifier nodes mark legitimate packets with
  legitimate stamps, and the rest of traffic with
  monitored stamps. Core nodes rewrite these
  stamps. Any unmarked packets reaching core nodes
  will be stamped as monitored if they pass the
  rate-limit.
• Serving packets in three service levels A core
  node apportions its bandwidth first to packets
  bearing legitimate stamps, then to packets
  bearing monitored stamps and any leftover to
  unstamped traffic.

• DefCOM is a peer-to-peer network of defense nodes
  that exchange information and services to perform
  cooperative DDoS defense.
• Three types of nodes
• Alert generator nodes detect the attack and
  alert the rest of the peer network
• Core nodes perform simple rate-limiting
• Classifier nodes differentiate between
  legitimate traffic and attack traffic, forward
  legitimate packets and severely rate-limit attack
  packets

attacker
client
attacker
client
client
client
classifier
classifier
attacker
attacker
client
client
core
core
victim
victim
Attack detected!
alert generator
alert generator
attacker
attacker
classifier
classifier
client
client
attacker
attacker
Alert generators detect the attack, send alerts
to all peers in the network. Nodes forward
alerts to their neighbors, yet avoid cycles.
Nodes stamp packets that they forward to the
victim. When a node detects a packet with its
neighbors stamp, this neighbor becomes the
nodes child. The node sends a parent message
to its children.
attacker
client
attacker
client
client
client
classifier
classifier
attacker
attacker
client
client
core
core
victim
victim
Rate limit N/2 Bps
Rate limit N Bps
Rate limit N/2 Bps
attacker
alert generator
attacker
alert generator
classifier
classifier
client
client
attacker
attacker
Nodes with parents/children form a traffic tree.
Nodes on the tree cooperate to stop the attack.
Rate-limits are propagated from the root to the
leaves. Parents divide their rate-limits among
their children.
Classifiers block attack traffic and forward
traffic bearing legitimate stamps. Core nodes
overwrite these stamps, and mark any unstamped
traffic with monitored stamps. Each node
dedicates bandwidth first to legitimate, then to
monitored, and last to unstamped traffic.