One of the major threats to cyber security is the Distributed Denial-of-Service (DDoS) attack in which the victim network elements are bombarded with high volumes of attacking traffic. Since the attacking traffic can be of various forms including fictitious email messages, file transfers, http requests, as well as TCP, UDP, ICMP, and TCP-SYN packet flood with random packet attribute values, it is difficult to differentiate the attacking packets from legitimate ones. Such attacking traffic often originates from a large number of compromised machines, possibly with spoofed source IP addresses or innocent “zombie” hosts under the control of hackers. Worse still, there are three kinds of sophisticated DDoS attacks that seriously threaten the current Internet and have not been solved yet.

(1) Fast Adaptive Attack (FAA): Most of the current DDoS defense systems utilize a binary rule or statistical filtering policy to differentiate attacking from legitimate traffic. When a packet arrives, the defense system checks the packet header and decides whether to drop or pass it based on the binary rule or statistical filtering policy. The rule or policy is either manually configured or automatically generated periodically. However, a sophisticated attacker can send probing packets and observe the corresponding response from the victim to infer whether the probing packets successfully go through the defense system. The sophisticated attacker then adaptively generates attacking traffic based on the feedback from a victim in Round Trip Time (RTT). Almost all proposed rules-based filtering schemes cannot effectively defend against FAAs, since they need a relatively long time (compared to RTT) to update filtering rules. 

(2) Adaptive Attacks with statistical filtering rules Scanning (AAS): The viability of those statistical filtering (or nominal traffic profile) approaches is based on the premise that attackers do not know the victim’s nominal traffic profile and cannot fake legitimate traffic. However, once the statistical filtering rules-based DDoS defense system is widely deployed, DDoS attack tools may be invented to learn the statistical filtering rules of the defense system or the victim’s nominal traffic profile. For instance, probing packets are crafted and sent to the victim. By observing the corresponding responses from the victim or performance degradation of the victim network, the attacker can estimate the victim’s nominal traffic profiles and generate flooding traffic according to the learned profiles. Under this intelligent attack, those statistical filtering rules-based DDoS defense systems will fail to function.

(3) Low-Rate TCP Attack (LRA): the attackers sends periodic attack pulses (i.e., short bursts of traffic at a high data rate) to overflow a router’s buffer and render packet loss. By synchronizing the attacking period to the Retransmission Timeout (RTO) duration, the attacker can force TCP flows on the congested link to frequently enter a timeout state, which leads to low throughput. These kinds of attacks could become major threats to the Internet's stability as they can significantly impact network throughput while staying under the radar by sending packet streams with an average rate much smaller than the link capacity.

In this project, we propose a Leaky-Bucket based highly robust DDoS defense system, called RateGuard. It can react to FAA and LRA by rate-limiting excessive traffic in real-time according to the victim’s nominal traffic profile. Moreover, by associating an LB with each joint attribute value, the huge space required for possible joint attribute values makes it almost impossible for attackers to scan the victim’s nominal traffic profiles, an effective way to defend AAS.

References

1. Y. Kim, W. Lau, M. Chuah, J. Chao, "PacketScore: Statistical-based Overload Control against Distributed Denial-of-Service Attacks," in Proceedings of Infocom, 2004.

2. M. Chuah, Y. Kim, W. Lau, J. Chao, "Transient Behavior of PacketScore," in Proceedings of ICC, 2004.

3. P. Ayres, H. Sun, H. Jonathan Chao, and W. C. Lau "ALPi: A DDoS Defense System for High-Speed Networks," IEEE Journal on Selected Areas in Communications (JSAC), vol. 24, issue 10, pp 1864-8176, Oct 2006.

4. P. Ayres, H. Sun, H. Jonathan Chao, and W. C. Lau, "A Distributed Denial-of-Service Defense System Using Leaky-Bucket-Based PacketScore," Applied Cryptography and Network Security, ACNS 2005, New York, June 2005.

5. H. Sun, Y. Zhuang, and H. Chao, "Principal Components Analysis based Robust DDoS Defense System," submitted to ICC 2008. 6. H. Sun, W. Ngan, and H. Chao, "RateGuard: A Robust Distributed Denial of Service (DDoS) Defense System," submitted to IEEE Transactions on Dependable and Secure Computing.