DefCOM
Defensive Cooperative Overlay Mesh
Max Robinson
Jelena Mirković
DR. Peter Reiher
Motivation
attacker
• Distributed denial-of-service attacks require a distributed solution.
• Detection is more effective closer to the victim network.
• Response is more selective closer to the source.
• Good coverage with a few deployment points in intermediate network.
client
client
attacker
client
Idea
victim
• Combine diverse defense systems for cooperative response.
Additional benefits
• Wide deployment is achieved by accommodating legacy systems.
• Defense nodes can specialize in those functions they can do best.
• Through communication, the strengths of specialists can address
challenges for other nodes.
attacker
client
attacker
Distributed Peer-to-Peer Network for DDoS Defense
DefCOM is a peer-to-peer network of defense nodes that exchange
information and services to perform cooperative DDoS defense.
Three types of nodes:
• Alert generator nodes – detect the attack and alert the rest of the
peer network
• Core nodes – perform simple rate-limiting
• Classifier nodes – differentiate between legitimate traffic and
attack traffic, forward legitimate packets and severely rate-limit
attack packets
attacker
All nodes in the peer network cooperate to give preferential service to
legitimate traffic and constrain the attack by:
• Deploying secure packet stamping – each node defines its legitimate
and monitored stamp. Classifier nodes mark legitimate packets with
legitimate stamps, and the rest of traffic with monitored stamps. Core
nodes rewrite these stamps. Any unmarked packets reaching core
nodes will be stamped as monitored if they pass the rate-limit.
• Serving packets in three service levels – A core node apportions its
bandwidth first to packets bearing legitimate stamps, then to packets
bearing monitored stamps and any leftover to unstamped traffic.
client
attacker
client
client
client
classifier
attacker
attacker
client
classifier
client
core
core
victim
victim
Attack detected!
alert generator
alert generator
attacker
attacker
classifier
client
attacker
attacker
Alert generators detect the attack, send alerts to all peers
in the network. Nodes forward alerts to their neighbors,
yet avoid cycles.
attacker
Nodes stamp packets that they forward to the victim. When a node
detects a packet with its neighbor’s stamp, this neighbor becomes the
node’s child. The node sends a “parent” message to its children.
client
attacker
client
attacker
classifier
client
client
client
classifier
attacker
client
classifier
client
core
Rate limit N/2 Bps
Rate limit N/2 Bps
attacker
victim
Rate limit N Bps
alert generator
classifier
client
core
victim
attacker
Nodes with parents/children form a traffic tree. Nodes on the tree
cooperate to stop the attack. Rate-limits are propagated from the root
to the leaves. Parents divide their rate-limits among their children.
attacker
alert generator
classifier
client
attacker
Classifiers block attack traffic and forward traffic bearing legitimate
stamps. Core nodes overwrite these stamps, and mark any unstamped
traffic with monitored stamps. Each node dedicates bandwidth first
to legitimate, then to monitored, and last to unstamped traffic.