Jelena Mirkovic

Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

Abstract: Distributed denial-of-service (DDoS) attacks present an Internet-wide threat. We propose D-WARD, a DDoS defense system deployed at source-end networks that autonomously detects and stops attacks originating from these networks. Attacks are detected by the constant monitoring of two-way traffic flows between the network and the rest of the Internet and periodic comparison with normal flow models. Mismatching flows are rate-limited in proportion to their aggressiveness. D-WARD offers good service to legitimate traffic even during an attack, while effectively reducing DDoS traffic to a negligible level. A prototype of the system has been built in a Linux router. We show its effectiveness in various attack scenarios, discuss motivations for deployment, and describe associated costs.

Abstract: Forcing all IP packets to carry correct source addresses can greatly help network security, attack tracing, and network problem debugging. However, due to asymmetries in today's Internet routing, routers do not have readily available information to verify the correctness of the source address for each incoming packet. In this paper we describe a new protocol, named SAVE, that can provide routers with the information needed for source address validation. SAVE messages propagate valid source address information from the source location to all destinations, allowing each router along the way to build an incoming table that associates each incoming interface of the router with a set of valid source address blocks. This paper presents the protocol design and evaluates its correctness and performance by simulation experiments. The paper also discusses the issues of protocol security, the effectiveness of partial SAVE deployment, and the handling of unconventional forms of network routing, such as mobile IP and tunneling.

Abstract: Defenses against flooding distributed denial-of-service (DDoS) commonly respond to the attack by dropping the excess traffic, thus reducing the overload at the victim. The major challenge is the differentiation of the legitimate from the attack traffic, so that the dropping policies can be selectively applied. We propose D-WARD, a source-end DDoS defense system that achieves autonomous attack detection and surgically accurate response, thanks to its novel traffic profiling techniques, the adaptive response and the source-end deployment. Moderate traffic volumes seen near the sources, even during the attacks, enable extensive statistics gathering and profiling, facilitating high response selectiveness. D-WARD inflicts an extremely low collateral damage to the legitimate traffic, while quickly detecting and severely rate-limiting outgoing attacks. D-WARD has been extensively evaluated in a controlled testbed environment and in real network operation. Results of selected tests are presented in the paper.

Abstract: Foreword. Acknowledgments. About the Authors. 1. Introduction. DoS and DdoS Why Should We Care? What Is This Book? Who Is This Book For? What Can This Book Help You Do? Outline of the Remaining Chapters 2. Understanding Denial of Service. The Ulterior Motive Meet the Attackers Behind the Scenes Distribution Effects DDoS: Hype or Reality? How Vulnerable Are You to DDoS? 3. History of DoS and DDoS. Motivation Design Principles of the Internet DoS and DDoS Evolution 4. How Attacks Are Waged. Recruitment of the Agent Network Controlling the DDoS Agent Network Semantic Levels of DDoS Attacks Attack Toolkits What Is IP Spoofing? DDoS Attack Trends 5. An Overview of DDoS Defenses. Why DDoS Is a Hard Problem DDoS Defense Challenges Prevention versus Protection and Reaction DDoS Defense Goals DDoS Defense Locations Defense Approaches 6. Detailed Defense Approaches. Thinking about Defenses General Strategy for DDoS Defense Preparing to Handle a DDoS Attack Handling an Ongoing DDoS Attack as a Target Handling an Ongoing DDoS Attack as a Source Agreements/Understandings with Your ISP Analyzing DDoS tools 7. Survey of Research Defense Approaches. Pushback Traceback D-WARD NetBouncer Secure Overlay Services (SOS) Proof of Work DefCOM COSSACK Pi SIFF: An End-Host Capability Mechanism to Mitigate DDoS Flooding Attacks Hop-Count Filtering (HCF) Locality and Entropy Principles An Empirical Analysis of Target-Resident DoS Filters Research Prognosis 8. Legal Issues. Basics of the U.S. Legal System Laws That May Apply to DDoS Attacks Who Are the Victims of DDoS? How Often Is Legal Assistance Sought in DDoS Cases? Initiating Legal Proceedings as a Victim of DdoS Evidence Collection and Incident Response Procedures Estimating Damages Jurisdictional Issues Domestic Legal Issues International Legal Issues Self-Help Options A Few Words on Ethics Current Trends in International Cyber Law 9. Conclusions. Prognosis for DdoS Social, Moral, and Legal Issues Resources for Learning More Conclusion Appendix A. Glossary. Appendix B. Survey of Commercial Defense Approaches. Mazu Enforcer by Mazu Networks Peakflow by Arbor Networks WS Series Appliances by Webscreen Technologies Captus IPS by Captus Networks MANAnet Shield by CS3 Cisco Traffic Anomaly Detector XT and Cisco Guard XT StealthWatch by Lancope Summary Appendix C. DDoS Data. 2004 CSI/FBI Computer Crime and Security Survey Inferring Internet Denial-of-Service Activity A Framework for Classifying Denial-of- Service Attacks Observations and Experiences Tracking Denial-of-Service Attacks across a Regional ISP Report on the DDoS Attack on the DNS Root Servers Conclusion References. Index.

Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

Abstract: We report on the design and implementation of the Privacy Integrated Queries (PINQ) platform for privacy-preserving data analysis. PINQ provides analysts with a programming interface to unscrubbed data through a SQL-like language. At the same time, the design of PINQ's analysis language and its careful implementation provide formal guarantees of differential privacy for any and all uses of the platform. PINQ's unconditional structural guarantees require no trust placed in the expertise or diligence of the analysts, substantially broadening the scope for design and deployment of privacy-preserving data analysis, especially by non-experts.

Abstract: Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.

Abstract: In this paper, we propose a novel forwarding technique based on geographical location of the nodes involved and random selection of the relaying node via contention among receivers. We focus on the multihop performance of such a solution, in terms of the average number of hops to reach a destination as a function of the distance and of the average number of available neighbors. An idealized scheme (in which the best relay node is always chosen) is discussed and its performance is evaluated by means of both simulation and analytical techniques. A practical scheme to select one of the best relays is shown to achieve performance very close to that of the ideal case. Some discussion about design issues for practical implementation is also given.