ITR: Modeling Distributed Denial of Service Attacks and Defenses
Carnegie Mellon University, Pittsburgh PA
Investigators
Abstract
Distributed denial of service (DDOS) attacks have emerged as a prevalent way to take down web sites and have imposed financial losses to companies. The CSI/FBI survey (CSI 2001) shows that 36% of respondents in the last 12-months period have detected denial of service, which imposed more than $4.2 million financial losses. The effectiveness of DDOS defenses depends on many factors such that the nature of the network's topology, the specific attack scenario, and various characteristics of the network routers. However, little research has focused on the tradeoffs inherent in this complex system. The researchers are developing a computational testbed to study security policies and the associated technologies that provide defenses against DDOS attacks. The researchers are using this framework to evaluate various policies and technologies. Out model and the ensuing analyses are informed by research in the areas of computer science, information science, organizational theory and social networks. There have been a number of proposals on how to control the on-going DDOS attack traffic. None have been widely deployed. The effectiveness of DDOS defenses depends on many factors, such as the type of network topology, the type of attacks and whether all ISPs are compliant in establishing defenses. However, little is known about the interactions among these factors. Knowing what tradeoffs will occur as these factors vary will enable stakeholders to make more informed security policy decisions in which they adjust for the chance that others may not make the same decisions. Our research illuminates these tradeoffs. Moreover, the computational model the researchers are building enables the user to examine the tradeoffs associated with various DDOS defenses and attack scenarios at the router level. The researchers focus on two basic research questions. First, how do ISPs provide DDOS defenses at the lowest cost while their subscribers remain satisfied with the availability of network connections during attacks? A cost-performance analysis of the effectiveness of DDOS defenses is being conducted using results from the computational model. This cost-performance analysis will aid ISPs and local network administrators in their evaluation of DDOS defenses. Second, the researchers ask where are the critical points in a network to deploy defenses? The researchers examine the impact of network topology on the deployment location of defenses. Graph level indices and models from social network studies will be used to categorize network topologies and to select deployment locations for defenses. This analysis will provide guidance to decision makers. Benefits of this work research include: The policy framework the researchers are developing will help ISPs and subscribers to consider the benefits of providing DDOS defenses and to realize the tradeoffs in DDOS defenses. Results from this study will enable decision makers to make more informed security policy decisions for computer networks. It is costly and unethical to conduct real world experiments of DDOS attacks on large networks. This research will provide a cost effective and ethical means for evaluating various attack scenarios and defenses. Further, topological measures developed in this research should be useful for studies of other large-scale topologies. As such, this work extends social network measures typically used on small person-to-person networks to large-scale computer networks. Finally, this research provides a theoretical basis for evaluating DDOS defenses building on interdisciplinary studies from the fields of computer science, information science, organizational theory and social network analysis.
View original record on NSF Award Search →