Collaborative detection and filtering of ddos attacks in isp core networks

Distributed denial of services (DDoS) attacks pose a major threat to the Internet. Although one promising solution should be a real distributed scheme covering a wide area, most reported solutions conform to the end-to-end paradigm and target end-node victims. Because these solutions could not detect anomalies incurring inside the intermediate network, they could not detect the DDoS attacks at an early stage. This dissertation explores the defense against DDoS attacks from an ISP perspective. A distributed scheme over multiple ISP domains is proposed, which relies on ISP network routers monitoring traffic fluctuations and information sharing with peers. To resolve the security policy conflicts, a new secure infrastructure protocol (SIP) is developed to establish trust between ISPs. SIP provides a secure platform supporting collaborative detection and responses to DDoS attacks. Distributed schemes are proposed to fight against both the brute force flooding DDoS attacks and the stealthy low-rate TCP-targeted DDoS attacks. Having observed the directionality and aggregation characteristics in the spatiotemporal pattern of the flooding flows, a distributed change-point (DCP) detection architecture was developed using change aggregation trees (CAT). The DCP scheme detects traffic variances across network domains and all CAT servers exchange alert information to make global detection decisions. After early detection, MAlicious Flow Identification and Cutoff (MAFIC) issues lightweight probes to flow sources to segregate malicious flows with minimized bilateral damage. A novel spectral template-matching approach is proposed to counter shrew DDoS attacks. Combining digital signal processing techniques and hypothesis testing, collaborative detection and filtering (CDF) detects and cuts off shrew attack flows embedded in legitimate TCP/UDP streams by spectral analysis. The performance of the distributed schemes is evaluated through intensive experiments on DETER testbeds and NS-2 simulators. Experiment results show a significant improvement was achieved by detecting anomalies crossing multiple ISP networks cooperatively. Information sharing among neighbor routers and SIP servers effectively increased detection rates while decreasing the number of false alarms. The experiments verified the effectiveness of DCP and CDF schemes and achieved encouraging results.