Distributed Denial of Service Signatures refinement

The last five years has seen a large increase in the number of Distributed Denial of Service (DDOS) attacks. The goal of DDOS attackers is usually to prevent legitimate users from accessing network service. They usually succeed to do so by sending large amount of requests to the service provider from several devices that have been previously infected through viruses, worms or other forms of malware.

Most DDOS protection strategies currently perform violation detection at the victim to generate a signature of the attack. A popular approach is then to use this signature to trace back sources of the attack in the network as shown in Figure 1. Tracking is an important part of DDOS prevention operations for several reasons:

• Network customers sometimes want to identify attackers so that they can bring them to justice in order to recover some of the costs generated by an attack. This involves the identification of users.
• Large attacks are usually impossible to stop locally since the amount of traffic generated by attackers can be larger than the physical capacity of customer network connection. As a result the distribution of access control operations becomes mandatory to overcome local access control performance limitations. In order to configure the set of relevant devices that may take part to the access control operations, knowing the path followed by the traffic is mandatory.
• The transport of DDOS traffic is useless for a network operator, as a result being able to block DDOS related traffic as soon as possible is essential in order to limit expenses generated by such attacks. This operation involves the identification network entry points for an attack.

Unfortunately a large proportion of existing attacks use spoofed addresses which makes it impossible to find their origin as well as the paths followed by the attack if only addresses are taken into account. As a result tracking operations have to be used to satisfy these requirements. As tracking activities progress within one domain, the attack signature can usually be refined for two reasons. Potential sources can be excluded when they provide a marginal contribution to the attack in term of traffic. Potential victims can be excluded when they receive a marginal part of the attack traffic. As network operators rarely cooperate on DDOS attacks prevention activities, source tracking activities usually stop at administrative borders and are followed by filtering actions. As a result attack signatures are often not precise enough and encompass attack traffic as well as legitimate traffic as presented on Figure 2. As a result existing DDOS prevention schemes often deny access to legitimate traffic.

One of the reasons that may explain this lack of precision is the lack of understanding of what legitimate traffic is.

The goal of this thesis is to define new models, protocols and mechanisms to enable legitimate traffic distributed recognition in order to bring improvement to existing DDOS prevention schemes.

This work is funded through the European DIADEM IST/FP6 project and performed in collaboration with other European partners including academic institutions, network operators and network security devices manufacturers.

Name : Olivier Paul

Position : Assistant Professor within the LOR (Networks-Software) department at INT (National Institute for Telecommunication).

Address : INT, LOR Department , 9 rue Charles Fourier, 91011 Evry, France

Tel : 01 60 76 47 91 Fax : 01 60 76 47 11

Email : Olivier.Paul@int-evry.fr

URL : http://www-lor.int-evry.fr/~paul_o/

INT, LOR Department, 9 rue Charles Fourier, Evry, Essonnes (91) Starting November 2003.

Student currently holding or in the process of obtaining a master or equivalent degree with majors in telecommunication networks and security. As the thesis is funded through a project with European partners, fluency in English is also required.

Please send an email of regular mail to the above mentioned address including a complete resume as well as a cover letter.