Toward Scalable Solutions for Distributed DoS Attack Prevention

Sponsor: DARPA ATO FTN under Grant No. F30602-01-2-0530

Principal Investigator: Dr. Kihong Park, Purdue University

Objective

The objective of the project is to design a DDoS defense architecture that is scalable and incrementally deployable in IP internetworks, in particular, the global Internet. Scalability means that (a) proactive DDoS protection is achieved by preventing spoofed DDoS attack packets from reaching their targets in the first place, (b) reactive DDoS protection is affected by tracing back the origin of DDoS attack for spoofed packets that cannot be proactively curtailed, and (c) achieving proactive and reactive protection through small partial deployment of route-based packet filtering on Internet autonomous systems.

Research Team

Principal Investigator:
Prof. Kihong Park

Postdoctoral Researchers:
Dr. Ali Selcuk

Research Assistants:
     Hyojeong Kim
     Humayun Khan
     Yan Wu

Past Members:
     Dr. Heejo Lee (postdoc; presently with Ahnlab Inc.)
     Dr. Jae-Kwon Kim (research scientist)
     Vignesh Sukumar (research assistant)

Approach

Routers, when faced with an incoming packet, ask "quo vadis" ("where are you headed") when performing their routing function. Our approach mandates that they also ask "unde venis" ("where do you come from"). Based on the response, in certain cases, it can be unequivocally determined that a packet is lying (i.e., source address is spoofed), and thus discarded before it can exert damage on its DDoS attack target. Formally, this is called a semi-maximal route-based packet filter.

Our approach, route-based distributed packet filtering, exploits the fact that routing (e.g., BGP in inter-domain routing) imposes constraints on what paths a packet inscribed with given source and destination addresses can take (in Internet routing protocols only the destination address is consulted) to discard spoofed IP packets whenever it is safe to do so. Since a single autonomous system or router can only do so much, the key problem lies in understanding with what degree of coverage or deployment significant protective performance can be achieved.

Accomplishments

We introduced route-based distributed packet filtering (DPF) and have done the basic study to determine its effectiveness in Internet AS topologies. We have shown that route-based DPF can achieve significant proactive and reactive protection against spoofed DDoS attacks while requiring less than 15% coverage. This level of performance was shown to hold for Internet AS graphs (measurement data at NLANR) for 1997-2002 during which time the size of the system has grown from about 3,000 to more than 12,000. That is, route-based DPF is scalable.

Software

Static DPF Simulator (v.1) Release:

The Static DPF Simulator (v.1) is a software tool kit that allows performance evaluation of route-based distributed packet filtering (DPF) to be carried out on large network topologies. The tool has been used to perform benchmarking on measurement-based Internet autonomous system (AS) topologies, including NLANR, RIPE, CAIDA, OREGON+, and Mercator/ISI. The tool gives exact performance results (in this sense not a typical "simulator") with respect to proactive and reactive filtering performance aimed at preventing spoofed distributed denial-of-service (DDoS) attacks. The input specification includes network topology, selection of filter sites, filter type, and routing algorithm. The route tables and filter sites can be read in at initialization, which facilitates performance evaluation under different routing and filter selection criteria. The tool kit includes a number of scripts for data conversion, transit/stub AS classification, and performance metric calculation.

The Static DPF Simulator (v.1) is available at http://www.cs.purdue.edu/nsl/DPF.tar.gz (2.4 MB) The ./README and ./doc/dpf.ps files provide documentation on the usage and internal structure of the tool kit.