DIADEM FIREWALL    FP6 IST-2002-002154














MonAM 2006


[Abstract] [State-of-the-art] [Objectives] [Workpackages] [Impact]


A comparison with the state-of-the-art clearly outlines the advantages of the approach. An important challenge that has to be met is protection against DDoS attacks. The distributed component of these attacks is the core problem with which the mechanisms of defense are confronted. Attacking agents are typically diffused through the inter-connected networks. This dispersion is frequently combined with techniques of source-address spoofing. The association of these two factors then makes extremely difficult the localization and the traceback to the attacking computers.

The created traffic constitute a second important component of DDoS. The similarity between the legitimate and illegitimate traffic entails many difficulties for the detection and the classification of flows. However, the flooding generated and the protocols used by the attacks reveal certain information that may allow detection, but that is not always sufficient. For example, the distinction between a flash event and a DOS (Denial of Service) attack requires a thorough characterization of the traffic types.

The significant number of non-protected equipment connected to the Internet provides a very fertile ground to the recruitment of new agents and the automation of the attacks. This new threat, which takes in particular the form of worms, expressed its effectiveness at several occasions.

Many academic and industrial solutions were proposed to solve the problem of the attacks by DDoS. They tackle the question in two manners mainly. A first type of defense consists in traceback the sources of the attack. For that, the routers present on the network are put at contribution and they provide the necessary information for the reconstitution of the path used by flows. Information is forwarded within the packets (packet marking) or with dedicated messages. The IETF has chosen the latter model and proposes a mechanism that is called iTrace. However, so far, these approaches are not very effective. From a router manufacturer's point of view, the introduction of new functions in the fast path of routers is in contradiction to a general "simplify to scale" objective for core routers. Therefore, it cannot be expected that the mechanisms will be generally available soon.

The second type of defense is based on traffic filtering. Malicious packets are identified and removed, based on a particular signature in the packet (voluntary malformations and falsifications placed by the attacker). However, slow deployment of ingress filtering [RFC2827] has demonstrated that network operators show little intent in implementing security measures that mainly benefit customers of other operators.

The mechanisms of filtering and traceback allow us to fight against DDoS. But they do not provide the infrastructure necessary for an effective management of the problem. To this end, architectures were proposed that allow a dynamic coordination of the actions to be taken, and thus to remove these restrictions. They introduce a cooperation between equipment. This cooperation can either use a central entity which distributes the necessary rules to the equipment (policy-based network paradigm), or be based on an inter-router peer-to-peer communication model. However, all existing architectures do not offer a complete defense against the problem and do not answer the three principal phases of defense, i.e. the detection of, the tracing of, and the answer to an intrusion.

The approach pursued in this project is to develop a comprehensive approach for protection against a wide range of attacks and other malfunctions, by combining co-operating high-speed edge devices that (i) allow all the information needed to detect attacks or malfunctioning to be collected, (ii) are capable of performing all necessary countermeasures, and (iii) are coordinated in a coherent way using policy-based mechanisms, to ensure flexibility for a wide range of scenarios and applications.