Abstract
We propose a cooperative intrusion detection framework focused on countering Distributed Denial-of-Service (DDoS) attacks through the introduction of a distributed overlay early-warning network. Our goal is to minimize the detection and reaction time and automate responses, while involving as many networks as possible along the attack path. The proposed approach relies on building a “community” of trusted partners that will cooperate by exchanging security information so that inclusion in the attack path is detected locally and without traceback procedures. The main building block is the Cooperative anti-DDoS Entity, a modular software system deployed in each participating network domain that supports secure message exchanges and local responses tailored to individual sites' policies. We discuss the operation and the implementation of a prototype, and we provide a survey of the methodologies against DDoS and compare our approach to related work.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
REFERENCES
G. Koutepas, F. Stamatelopoulos, and B. Maglaris, Efficiency and performance issues in distributed intrusion detection systems, Applied Telecommunication Symposium 2002 (ATS 02), San Diego, California, April 2002.
D. Moore, G. Voelker, and S. Savage, Inferring Internet denial-of-service activity, Proc. Tenth USENIX Sec. Symp., 2001.
Minho, Sung, Markus, Haas, and Jun, Xu, Analysis of DoS attack traffic data, 2002 FIRST Conference (www.first.org), Hawaii, June 2002.
R. Chang, Defending against flooding-based distributed denial-of-service attacks: A tutorial, IEEE Communications Magazine, pp. 42–51, October 2001.
J. Mirkovic, J. Martin, and P. Reiher, A Taxonomy of DDoS attacks and DDoS defense mechanisms, University of California, Technical Report#020018 2002. (Also available at http://www.lasr.cs.ucla.edu/ddos/ucla_tech_report_020018.pdf
M. Behringer, Tracing DoS attacks, Hi Tech 2002 Workshop, Limmerick, IE, June 2002.
R. Manajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, Vol. 32, No. 3, pp. 62–73, 2002.
C. Estan and G. Varghese, New directions in traffic measurement and accounting, Proceedings of the 2001 ACM SIGCOMM Internet Measurement Workshop, pp. 75–80, (San Francisco, California), November 2001.
Cisco IOS NetFlow, http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
C. Kotsokalis, D. Kalogeras, and B. Maglaris, Router-based detection of DoS and DDoS attacks, HP OpenView University Association (HPOVUA) Conference '01, Berlin, Germany, June 2001.
K. K. Wan and R. Chang, Engineering of a global defence infrastructure for DDoS attacks, Proc. of IEEE International Conference on Networking, August 2002.
D. Sterne, K. Djahandari, B. Wilson, B. Babson, D. Schnackenberg, H. Holliday, and T. Reid, Autonomic response to distributed denial-of-service attacks, Proceedings of the Fourth International Symposium on Recent Advances in Intrusion Detection, RAID 2001, Davis, California, pp. 134–149, October 2001.
D. Schnackenberg, K. Djahandari, and D. Sterne, Infrastructure for intrusion detection and response, Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX II), Anaheim, California, January 2000.
A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer, Hash-based IP traceback, Proceedings of the ACM SIGCOMM 2001 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication,August 2001.
J. Ioannidis and S. Bellovin, Implementing pushback: Router-based defense against DDoS attacks, Network and Distributed System Security Symposium, NDSS '02, San Diego, California, February 2002.
S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical network support for IP traceback, Proceedings of the ACM SIGCOMM Conference, Stockholm, Sweden, pp. 295–306, August 2000.
D. Dean, M. Franklin, and A. Stubblefield, An algebraic approach to IP traceback, Network and Distributed System Security Symposium, NDSS '01, February 2001.
R. Stone, CenterTrack: An IP overlay network for tracking DoS floods, Ninth USENIX Security Symposium, Denver Colorado, August 2000.
K. Park and H. Lee, On the effectiveness of route-based packet filtering for distributed DDoS attack prevention in power-law internets, Proc. of the ACM SIGCOMM, 2001.
Trusted Introducer for CSIRTs in Europe, http://www.ti.terena.nl/
K. Almeroth, The evolution of multicast: From the MBone to inter-domain multicast to Internet2 deployment, IEEE Network, January/February 2000.
D. Curry and H. Debar, Intrusion detection message exchange format data model and extensible Markup Language (XML) document type definition, IETF Internet Draft, draft-ietf-idwg-idmef-xml-10.txt, January 2003.
Sun Microsystems, Java Management Extensions Instrumentation and Agent Specification, v1. 2, February 2002. http://jcp.org/aboutJava/communityprocess/final/jsr003/index3.html
K. Wan, An infrastructure to defend against distributed denial-of-service attack, M.Sc. Thesis, The Hong Kong Polytechnic University, June 2001.
Q. Zhang and R. Janakiraman, Indra: A distributed approach to network intrusion detection and prevention, Washington University Technical Report # WUCS–01–30, 2001.
D. Frincke, D. Tobin, J. McConnell, J. Marconi, and D. Polla, A framework for cooperative intrusion detection, Proceedings of the 21st National Information Systems Security Conference, pp. 361–373, October 1998.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Koutepas, G., Stamatelopoulos, F. & Maglaris, B. Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Attacks. Journal of Network and Systems Management 12, 73–94 (2004). https://doi.org/10.1023/B:JONS.0000015699.50210.e3
Issue Date:
DOI: https://doi.org/10.1023/B:JONS.0000015699.50210.e3