Give the U.S. federal government credit for attempting to find more broad-based solutions to the global problem of DDoS attacks. We reported a few months ago that DARPA is soliciting research projects on innovative ways to create resilient defenses against DDoS attacks. (See DARPA announces the Extreme DDoS Defense Program to solicit innovative ways to thwart attacks.) Now the Department of Homeland Security (DHS) is getting in on the act as well.
The Science and Technology Directorate within DHS recently let a $1.7 million contract to Galois, a renowned firm in the computer science research and development sector. The purpose of the contract is to have Galois develop a collaboration platform to prevent and mitigate DDoS attacks in their earliest stages. Galois calls its project “DDoS Defense for a Community of Peers,” or 3DCoP for short.
3DCoP aims to reduce the time between the start of an attack and the detection of the attack by 25%; reduce mitigation response time by 50%; and ultimately reduce peak traffic flow by 75% to 90%. As a result of these reductions, organizations should be able to detect and block DDoS attacks before reaching complete network saturation. Here’s how Galois describes its approach:
The solution is based on a unique collaborative model wherein multiple organizations work together to detect DDoS attacks, compute mitigations, and convince service providers to take action. 3DCoP advances the state of DDoS defense by providing new tools that allow multiple defenders to coordinate their response, resulting in earlier detection and faster DDoS mitigation. Underlying the implementation is a unique traffic flow monitoring capability which observes traffic flows in and out of the enclave and finds patterns of interest.
3DCoP then transmits these discovered patterns via a peer-to-peer collaboration mechanism that can compute a more complete view of the network. As a result, rather than having a single, small entity requesting a rule change of a major ISP, there is a large virtual organization that acts with consensus. The illustration below shows how this process works.
Galois researchers believe that in order to effectively mitigate a large attack, an organization must involve other organizations “higher up” the Internet chain, like ISPs, that can stop the flow of malicious traffic. This collaborative model has multiple organizations working together to detect DDoS attacks through automatic traffic analysis. They then generate traffic blocking rules for the malicious traffic and send that to ISPs further up the chain. The ISPs can, in turn, block the necessary traffic and mitigate the attacks.
DDoS attacks are often used to hold a business for ransom. Galois researcher Adam Wick talks about how the collaborative approach can eliminate, or at least reduce, “for ransom” attacks. “Ransom in DDoS cases is one of those clear indicators that our current approaches to DDoS defense are failing,” according to Wick. Wick then adds:
“Attackers can only ask for ransom when an organization has no way to defend themselves. Ransom cases can be mitigated by having effective DDoS defense that doesn’t allow an attack to become a problem in the first place. The most effective defenses in the coming years will take into account the bigger picture by connecting everyone involved, for a more timely response. If we can minimize the effect of large DDoS attacks, we effectively reduce cases where attackers demand ransom.”
The 3DCoP approach to defending against DDoS will only be effective if an extensive and broad range of organizations join the program and agree to collaborate with each other. This is something that the Department of Homeland Security will handle when the time comes to promote the solution. In particular, small and medium-sized businesses that currently lack sufficient DDoS defense mechanisms are expected to benefit from participation in the collaboration program.