End to End Defence Against DDoS Atacks

Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks accounted for more losses than Internet financial fraud and viruses combined (CSI/FBI 2003). The Internet has been exposed as being particularly vulnerable to Denial of Service Attacks. This has stimulated research into DDoS and the consequent development of many techniques which aim to control them. This paper aims to contribute to this literature. An holistic approach to combating DDoS is proposed, which places particular stress on the importance of locating functionality in the most appropriate location and that source, intermediate and destination network elements co-operate together. It is argued that attack traffic is best stopped before it leaves its source network, that it is best detected and analysed at the target network and intermediate routers need precise information to allow them to control economically the DDoS traffic that escapes the source network. The design of a passive monitor that is able to use measurements of attack and regular traffic to enable dynamic configuration of network elements is presented along with a detailed discussion of how such a monitor can be deployed to combat the common SYN flood attack. The extension of this approach to combat other forms of DDoS attack is also discussed.