Distributed Denial of Service (DDoS) attacks are used to render key resources unavailable. A classic DDoS attack disrupts a financial institution’s website and temporarily blocks the ability of consumers to bank online. A more strategic attack makes a key resource inaccessible during a critical period. Some examples of this type of attack may include rendering a florist’s website unavailable on Valentine’s Day, slowing or blocking access to tax documents in mid-April or disrupting communication during a critical trading window. Prominent DDoS attacks have been conducted against financial institutions, news organizations, internet security resource providers and government agencies. All organizations that rely on network resources are considered potential targets.
Attacks can and have targeted any system that relies on internet connectivity. The financial services sector is a frequent target of large-scale DDoS attacks and continues to face ever-growing attacks. While these incidents are well documented, this segment of our nation’s economy is not a special case and some of the largest attacks have been directed at security-related sites and services. Over the past five years the scale of attacks has increased tenfold. It is not clear if current network infrastructure could withstand future attacks if they continue to increase in scale.
This project addresses three related DDoS defense challenges. First, DDoSD is working to increase deployment of best practices that would slow attack scale growth, specifically a technique called Internet Best Current Practice 38 that blocks forged packets at or near the source. Second, DDoSD is seeking to defend networks against massive one terabit per second (Tbps) scale attacks through development of collaboration tools suitable for medium-scale organizations. Last, the project is working to defend emergency management systems—both current 911 and Next Generation 911 systems—from Telephony Denial of Service (TDoS) attacks.
Measurement and Analysis to Create Best Practices
Some DDoS attacks make use of spoofed source addresses. Existing best practices filter out forged addresses at the network periphery. Additional best practices extend this guidance to more complex deployments. The collection of anti-spoofing best practices could help mitigate DDoS attacks that rely on forged addresses. Measurement and analysis tools are required to test whether new anti-spoofing deployments are successful, verify existing anti-spoofing practices are working correctly, and provide evidence to demonstrate both advantages and limitations when anti-spoofing best practices are deployed in an organization.
Tools for Communication and Collaboration
The distributed nature of DDoS attacks provides several advantages to the attacker. An attack often comes from a large number of compromised computers that span multiple organizations. Further, as network bandwidth and computational power increases, the attacker benefits from the increased resources that provide them the capability to conduct more powerful attacks. To counter this threat, organizations that make use of network services must invest in resources that keep pace with the increasing significance of the attacks.
Novel DDoS Attack Mitigation and Defense Techniques
This technical topic area seeks to address new variations of denial of service (DDoS) attacks. DDoS attack concepts are being directed at a growing range of services. For example, in spring 2013 DHS and the Federal Bureau of Investigation (FBI) issued warnings for DDoS attacks targeting emergency management services such as 911 systems. Systems including—but not limited to—mobile devices, cyber-physical systems and critical infrastructure components are potential targets for these attacks. Too often the response to new types of attacks and targets is reactive; attackers develop new techniques and/or target new systems and this change in course drives mitigation efforts. Therefore, the goal is to identify potential targets for DDoS that have not been subject to known large-scale DDoS attacks and develop DDoS mitigation capabilities that will be able to withstand a DDoS attack that is double in magnitude from the capabilities of the target’s DDoS defense capability at the beginning of the project.
Colorado State University (CSU): Netbrane: A Software Defined DDoS Protection Platform
The NetBrane effort is developing a DDoS detection-and-mitigation system to defend against Internet DDoS attacks. The system combines high-speed packet capture (100 Gigabits per second [Gbps] or more) with machine learning to detect traffic anomalies, even if they are obscure; Software Defined Networking (SDN) to deploy fine-grain filtering rules that can be pushed instantly; and proactive defenses using network structural information and tips from hacker activities.
SecureLogix: Complex Distributed Telephony Denial of Service (TDoS) Pilots
This effort’s novel approach is to shift the advantage from a TDoS attacker to the network administrator by developing the capability to authenticate callers and detect fraudulent call spoofing. These solutions—based on a series of filters that assign a risk-threat score to every call—will enable 911 systems administrators to better respond to and manage TDoS threats.
University of California San Diego (UCSD): Software Systems for Surveying Spoofing Susceptibility (SPOOFER)
The Spoofer project provides the capability to measure whether a network is compliant with one of the most critical and longstanding, yet still elusive best practices—BCP38/84. This best practice supports source address validation, i.e., ensuring all packets leaving a network use only source addresses belonging to that network.
University of Houston: Towards DDoS Resilient Emergency Dispatch Center
This effort is developing a solution that integrates cost effective National Emergency Number Association (NENA) complication Border Control Function (BCF), VoIP firewall, and Telephony Denial of Service (TDoS) defenses, and smart call handling. This solution will assist in filling capability and resilience gaps with continued operations in the face of TDoS and DDoS attacks.
University of Southern California Information Sciences Institute (USC-ISI): SENSS: SDN Security Service
SENSS is deployable with the current internet service provider (ISP) infrastructure, which enables any ISP to offer automated services for DDoS diagnosis and mitigation, and the capability for a victim to query its own ISP regarding in-bound traffic, routes to prefixes, and helping detect best points for mitigation.
University of Oregon: Drawbridge: Leveraging Software-Defined Networking for DDoS Defense
The Drawbridge effort focuses on deploying DDoS filters upstream and placing filters at prime locations on the network to minimize attack traffic to the victim. Ideally, this approach will also lower overall DDoS traffic impact on the internet.
Science and Technology Blog
Partnering to Prevent TDoS Attacks, July 9, 2019
Tech Talk Video: Defending Against Telephony Denial of Service Attacks
DHS S&T is developing tools and technologies to protect critical infrastructure sectors, including emergency communications from cyberattacks. S&T has partnered with SecureLogix, a telecommunications security company, to develop mitigation solutions to enhance the functionality of Next Generation 911 (NG911) call centers from cyberattacks. Hear from S&T's DDoSD program manager Dr. Ann Cox and SecureLogix's Mark Collier talk about S&T's solutions for securing NG911 call centers.
Press Releases and Media Advisories
DHS S&T Awards $14 Million for Cybersecurity Research, September 2015
Stopping Attacks That Disrupt Voice Communications, April 10, 2017
Turning Back DDoS Attacks, February 16, 2017
Program Manager: Dr. Ann Cox