You are here

Science and Technology Distributed Denial of Service Defense

Distributed Denial of Service Defense

Distributed Denial of Service Defense. Multiple ones and zeros hitting a shield. Distributed Denial of Service (DDoS) attacks are used to render key resources unavailable. A classic DDoS attack disrupts a financial institution’s website and temporarily blocks the ability of consumers to bank online. A more strategic attack makes a key resource inaccessible during a critical period. Some examples of this type of attack may include rendering a florist’s website unavailable on Valentine’s Day, slowing or blocking access to tax documents in mid-April or disrupting communication during a critical trading window. Prominent DDoS attacks have been conducted against financial institutions, news organizations, internet security resource providers and government agencies. All organizations that rely on network resources are considered potential targets.

Motivation

Attacks can and have targeted any system that relies on internet connectivity. The financial services sector is a frequent target of large-scale DDoS attacks and continues to face ever-growing attacks. While these incidents are well documented, this segment of our nation’s economy is not a special case and some of the largest attacks have been directed at security-related sites and services. Over the past five years the scale of attacks has increased tenfold. It is not clear if current network infrastructure could withstand future attacks if they continue to increase in scale.

Approach

This project addresses three related DDoS defense challenges. First, DDoSD is working to increase deployment of best practices that would slow attack scale growth, specifically a technique called Internet Best Current Practice 38 that blocks forged packets at or near the source. Second, DDoSD is seeking to defend networks against massive one terabit per second (Tbps) scale attacks through development of collaboration tools suitable for medium-scale organizations. Last, the project is working to defend emergency management systems—both current 911 and Next Generation 911 systems—from Telephony Denial of Service (TDoS) attacks.

Measurement and Analysis to Create Best Practices

Some DDoS attacks make use of spoofed source addresses. Existing best practices filter out forged addresses at the network periphery. Additional best practices extend this guidance to more complex deployments. The collection of anti-spoofing best practices could help mitigate DDoS attacks that rely on forged addresses. Measurement and analysis tools are required to test whether new anti-spoofing deployments are successful, verify existing anti-spoofing practices are working correctly, and provide evidence to demonstrate both advantages and limitations when anti-spoofing best practices are deployed in an organization.

Tools for Communication and Collaboration

The distributed nature of DDoS attacks provides several advantages to the attacker. An attack often comes from a large number of compromised computers that span multiple organizations. Further, as network bandwidth and computational power increases, the attacker benefits from the increased resources that provide them the capability to conduct more powerful attacks. To counter this threat, organizations that make use of network services must invest in resources that keep pace with the increasing significance of the attacks.

Novel DDoS Attack Mitigation and Defense Techniques

This technical topic area seeks to address new variations of denial of service (DDoS) attacks. DDoS attack concepts are being directed at a growing range of services. For example, in spring 2013 DHS and the Federal Bureau of Investigation (FBI) issued warnings for DDoS attacks targeting emergency management services such as 911 systems. Systems including—but not limited to—mobile devices, cyber-physical systems and critical infrastructure components are potential targets for these attacks. Too often the response to new types of attacks and targets is reactive; attackers develop new techniques and/or target new systems and this change in course drives mitigation efforts. Therefore, the goal is to identify potential targets for DDoS that have not been subject to known large-scale DDoS attacks and develop DDoS mitigation capabilities that will be able to withstand a DDoS attack that is double in magnitude from the capabilities of the target’s DDoS defense capability at the beginning of the project.

Performers

Colorado State University (CSU): Netbrane: A Software Defined DDoS Protection Platform

The NetBrane effort is developing a DDoS detection-and-mitigation system to defend against Internet DDoS attacks. The system combines high-speed packet capture (100 Gigabits per second [Gbps] or more) with machine learning to detect traffic anomalies, even if they are obscure; Software Defined Networking (SDN) to deploy fine-grain filtering rules that can be pushed instantly; and proactive defenses using network structural information and tips from hacker activities.

SecureLogix: Complex Distributed Telephony Denial of Service (TDoS) Pilots

This effort’s novel approach is to shift the advantage from a TDoS attacker to the network administrator by developing the capability to authenticate callers and detect fraudulent call spoofing. These solutions—based on a series of filters that assign a risk-threat score to every call—will enable 911 systems administrators to better respond to and manage TDoS threats.

University of California San Diego (UCSD): Software Systems for Surveying Spoofing Susceptibility (SPOOFER)

The Spoofer project provides the capability to measure whether a network is compliant with one of the most critical and longstanding, yet still elusive best practices—BCP38/84. This best practice supports source address validation, i.e., ensuring all packets leaving a network use only source addresses belonging to that network.

University of Houston: Towards DDoS Resilient Emergency Dispatch Center

This effort is developing a solution that integrates cost effective National Emergency Number Association (NENA) complication Border Control Function (BCF), VoIP firewall, and Telephony Denial of Service (TDoS) defenses, and smart call handling. This solution will assist in filling capability and resilience gaps with continued operations in the face of TDoS and DDoS attacks.

University of Southern California Information Sciences Institute (USC-ISI): SENSS: SDN Security Service

SENSS is deployable with the current internet service provider (ISP) infrastructure, which enables any ISP to offer automated services for DDoS diagnosis and mitigation, and the capability for a victim to query its own ISP regarding in-bound traffic, routes to prefixes, and helping detect best points for mitigation.

University of Oregon: Drawbridge: Leveraging Software-Defined Networking for DDoS Defense

The Drawbridge effort focuses on deploying DDoS filters upstream and placing filters at prime locations on the network to minimize attack traffic to the victim. Ideally, this approach will also lower overall DDoS traffic impact on the internet.

News

Press Releases and Media Advisories

DHS S&T Announces $1.3m in Small Business Innovation Research Awards (June 12, 2017)

Snapshot Articles

Stopping Attacks That Disrupt Voice Communications, April 10, 2017

Turning Back DDoS Attacks, February 16, 2017

Science and Technology Blog

Partnering to Prevent TDoS Attacks, July 9, 2019

Podcast

Understanding 911 Vulnerabilities to TDoS & DDoS Attacks

Resources

DDoSD Fact Sheet

DDoSD Telephony Denial of Service (TDoS)

Visit the cybersecurity projects, news and resources pages for cyber specific articles and other written products or connect with us at the next S&T cybersecurity event.  

Archive

Press Releases and Media Advisories

DHS S&T Awards $14 Million for Cybersecurity Research, September 2015

DHS S&T Awards $2.7M to Colorado State University for Cyber Security Research, September 2015

DHS S&T Awards USC Information Sciences Institute $1.8M Contract for Cyber Security Research, September 2015

DHS S&T Awards University of California San Diego $1.3M for Cyber Security Research, September 2015

DHS S&T Awards Portland Company $1.7M Contract for Cyber Security Research, September 2015

DHS S&T Awards $629K to Waterford Company for Cyber Security Research, September 2015

DHS S&T Awards University of Houston $2.6M for Cyber Security Research, September 2015

DHS S&T Awards University of Delaware $1.9M for Cyber Security Research, September 2015

DHS S&T Awards University of Oregon a 1.38M Contract for Cyber Security Research, August 2015

Contact

Program Manager: Dr. Ann Cox

 

Email: SandT-Cyber-Liaison@hq.dhs.gov

Was this page helpful?

This page was not helpful because the content:
Back to Top