DDoSVax - Project Description

Project Description

Project Description
Attack Analyses
Publications

Student Theses

Cluster "Scylla"

Contact

Subject of the DDoSVax research project

Distributed Denial of Service (DDoS) attacks are a threat to Internet services ever since the widely published attacks on ebay.com and amazon.com in 2000. ETH itself was the target of such an attack 6 months before these commercial sites where hit. ETH suffered repeated complete loss of Internet connectivity ranging from minutes to hours in duration. Massive distributed DDoS attacks have the potential to cause major disruption of Internet functionality up to and including severely decreasing backbone availability.

Attack Model

Most DDoS attacks share a common pattern: An infection phase where the initiator acquires the attack resources by compromising a large number of weakly protected hosts, ideally causing little or no visible change in host behavior, in order to make the compromise hard to notice. An infection phase can last from less then 10 minutes to several months. Attacks that involve in the order of 100.000 and more compromised hosts have already been observed in practice (Code Red, Sapphire).

In a second phase, the attack phase, the attacker uses the compromised hosts to initiate actual attacks on a target computer or network. These attacks can be done autonomously or under direct or indirect control of the attacker. Although attack control increases the risk of identification for an attacker, there are possibilities to keep this risk small.

Motivation

This project is motivated by the fact that more and more hosts are connected to the Internet for longer times, often without competent system administration. One of the largest sources of weakly protected hosts are private users and small businesses that use cheap ADSL or television cable based Internet access. While the individual network bandwidth of these hosts is small, control of a larger, well distributed number of these hosts is enough to threaten not only individual servers or networks, but to conduct devastation attacks on the Internet infrastructure itself. Research into countermeasures to these threats is therefore essential.

Objectives

This project has the following objectives:

Detection of infection phases while infection takes place
Detection and analysis of massive DDoS attacks when they start in near real-time.
Provision of methods and tools that support countermeasures during both phases.

Our hypothesis is that both attack phases exhibit distinct traffic patterns that allow detection and distinction from other massive network events like flash-crowds. We will test this hypothesis with measurements of real network traffic and with simulations.

Project Structure

The project has both basic research components and applied components. The basic research components will produce insights into possible detection and analysis algorithms, general attack mitigation strategies and possible (semi-)automatic countermeasures. While there is some basic research in dealing with DDoS attacks in end-networks, there seem to be very little research results for massively distributed DoS attacks and defenses that backbone operators could use.

The practical components are aimed at prototypical implementations of these methods and possible deployment in a real backbone network. Close cooperation with SWITCH has been established to this end, and in fact SWITCH provides a significant part of the project funding.

Project Team

Timeline

The project has officially started on January 1st, 2003.

Project's name

DDoSVax is short for "In search of a vaccine (Vax) against Distributed Denial of Service (DDoS) attacks", which was the initial motivation for starting this project. The two syringes in the logo, which was designed by our Master's thesis student Lukas Haemmerle, symbolize the hope to find a means for mitigating future Internet attacks through intensified network security research.