D-WARD, DDoS and Three Network Administrative Domains
DoS/DDoS attacks are a virulent, relatively new type of Internet attacks, they have caused some biggest web sites on the world -- owned by the most famous E-Commerce companies such as Yahoo, eBay, Amazon -- became inaccessible to customers, partners, and users, the financial losses are very huge.
For defensing against the DDoS attacks, the network engineers have made many attempts to design the systems that help identify the machines of lunching DDoS attacks and stop the malicious attacks. The systems are deployed at three administrative network domains: victim network, intermediate network and source network. In this paper, I will take an overview for the three administrative domains; compare and analyze the potential abilities of the systems for detecting and defensing the DDoS attacks, when the systems are deployed on each kind of the administrative network domain.
It is easy to understand that the DDoS attacks should be stopped as close as possible the source of the attacks that will save the network resources and reduce the traffic congestion, so I also discuss the D-WARD, or DDoS Network Attack Recognition and Defense, it is an important DDoS defense system deployed at the source network.
2. Defense Systems on Three Network Administrative Domains
2.1 Victim Network
Historically, most of the systems detecting and defensing the DDoS attacks are deployed on the destination/victim network, because the victims have the greatest incentive to deploy the systems. The systems at the victim network facilitate easy detection for the DDoS attacks and possible characterizations of the DDoS attack signatures. However, compare to the systems deployed at the intermediate network and the source network, the systems deployed at the victim network are ineffective in stopping the attacks because they require the cooperation of upstream routers to push back the attacking flows.
At the victim network, traditionally, much of the works related to detect and defense the DDoS attacks have been carried on the Intrusion Detection System (IDS). The IDS detects the DDoS attacks either by using the database of known signatures (such as the Cisco Secure IDS Signatures watching for the DDoS attacks: 6501 TFN Client â€šÃ„Ã¬ 6508 mstream Control Traffic, see ), or by recognizing anomalies in system behavior. But, most of these systems do not take automated action to stop the attacks, they just raise an alert to the system administrator.
Currently, there are several kinds of the mechanisms detecting and defensing the DDoS attacks at the victim network:
- In the on-off control approach, a router located at the victim of a DDoS attack detects the attack by monitoring the routerâ€šÃ„Ã´s buffer queue size. Once the queue size grows over a specified threshold, the router reacts by switching to a different mode of operation and throttling the incoming traffic. Only the packets which identified as a certain problematic type of traffic are dropped. When the queue size is reduced, the throttling is stopped. Under the reasonable volume of attack packets, this approach efficiently protects the victim from overflowing its buffers by early detection of DDoS attacks, and does not completely cut off the traffic from the source network.
2.2 Intermediate Network
Defensing against the DDoS attacks at the intermediate network is obviously more effective than at the victim network, because large volumes of the DDoS attacks can be handled easily on the intermediate network, and the attacks can be cooperatively traced back to the sources of the DDoS attacks. But, there are several problems that prevent from deploying the defense systems at the intermediate network:
- Performance: usually, the intermediate network handles large traffic volumes. Defensing against the DDoS attacks on the intermediate network requires additional resource for traffic profiling and rate limiting, it will degrade the networkâ€šÃ„Ã´s performance, and might in turn degrade the Internet service as a whole.
It is easy to understand that the DDoS attacks should be stopped as close as possible the source of attacks. If we deploy the systems defensing the DDoS attacks at the source network side, it will greatly save the network resources and reduce the congestion.
The attacks appear different at the source network from at the victim network. At the victim network, all DDoS flows converge and affect the victim greatly so that the detection is inevitable; at the source network, the flows are still dispersed and appear as a set of perfectly valid transactions. It is usually the sheer amount of the transactions that saturates the victim network.
Deploying the systems defensing DDoS attacks at the source network side of the attacks has many advantages over deploying the systems further downstream to the intermediate network or the victim network:
- The attack flows can be stopped before they transfer to the Internet core part and before they aggregate with other attack flows, the two flows achieve together the power to create network congestion and exhaust resources.
D-WARD, or DDoS Network Attack Recognition and Defense, is a very important DDoS defense system deployed at the source router network (either LAN or border router).
Due to the similarity of the DDoS attacks and the legitimate traffics, it is unwise to take any defensive action based on per-packet observations. D-WARD takes most of its decisions based on flow and connection monitoring over time (a connection is defined as the aggregate traffic, a flow is consisted of one or more connections), rather than establishing the legitimacy of individual packets. D-WARD observes the traffic flows outgoing from and incoming to the source network, and gathers lightweight statistics on the flows, classified by destination. These statistics, along with built-in traffic models, define the legitimate traffic patterns. Any discrepancy between the observed traffic and the legitimate traffic pattern for a given destination/victim is considered to be the signal of the potential DDoS attacks. After the source router obtains the signal, it decides to throttle all the traffic to the suspected destination/victim of the attacks; at the same time it attempts to separate the attacking flows from the legitimate flows and identify the attacking machines. This approach has the benefit of preventing malicious flows from entering the network and consuming resources.
See the Figure 1, the D-WARD system is installed at the source router, the source router serves as a gateway between the source network and the rest part of the Internet. There are four kinds of the deployments for the D-WARD system:
- In the basic deployment, the source router is considered as the only connection point between the
source network and the rest part of the Internet. Thus, the D-WARD can observe every packet
transferred between the source network and rest part of the Internet.
- In another scenario, there are many gateway routers on the source network border, but each gateway is a default exit and entry for a set of the foreign addresses. A D-WARD system can be deployed at each gateway and observe every packet exchanged between the source network and the set of the foreign addresses signed to that D-WARD system.
- Some gateway routers host the D-WARD systems, and partially police the source networkâ€šÃ„Ã´s outgoing traffic only to certain destinations/victims.
- Multiple gateway routers exist and there is asymmetric routing of incoming and outgoing packets (an outgoing packet to the destination X may traverse a different gateway than an incoming packet from the source Y) is unfavorable for D-WARD system since it cannot form complete traffic observations.
3.2 Architecture of D-WARD
D-WARD is a self-regulating reverse-feedback system, it is consisted of by three components, see the Figure 2:
- Observation Component: it can be part of a self-contained unit that interacts with the source router to obtain the traffic statistics.
3.2.1 Observation Component
The Observation Component monitors all packets passing through the source router and gathers statistics on the two-way communications between the police address set and the rest of the Internet, and records the flow and connection granularity. This monitoring can be performed by sniffing the traffic at the interface of the source router. Periodically, the statistics are compared to the Flow Models and the Connection Models of the legitimate traffic (see the Figure 2), and the flows and connections are classified. The classification results are passed to the Rate-Limiting Component, which adjusts the Rate Limit Rules. Both the Legitimate Connection List (which comes out the Observation Component) and the Rate Limit Rules (which comes out the Rate-Limiting Component) are communicated to the Traffic-Policing Component (a part of the source router), which then enforces the rate limits and ensures forwarding of legitimate packets. The imposed rate limits modify the associated traffic flows and thus affect future observations, and close the feedback loop.
In the Observation Component, the flow statistics are stored in the Flow Table, and the connection statistics are stored in the Connection Tables, see the Figure 2. The spoofed attacks may generate a large number of records in two kinds of the tables, the sizes of the tables are limited to avoid excessive memory consumption. The Observation Component cleans the tables by two methods:
- Periodically expels all records that are stale;
The connection above is performed continuously. But, if D-WARD uses the on-demand (un-continued) approach, a delay would exist between the detection signals of the DDoS attacks and the populating of the Connection Table, the legitimate connection traffic would be damaged by the DDoS attacks.
3.2.2 Rate-Limiting Component
The Rate-Limiting Component adjusts rate limit values on every Flow Observation Interval, it receives classification results from the Observation Component and flow behavior history from the Traffic-Policing Component, and devises a rate-limit value for each active flow.
The flow behavior history is expressed by two metrics:
- B-sent, the byte amount of the flow traffic forwarded to the victim;
- B-dropped, the byte amount of the flow traffic dropped due to rate limiting.
A measure of how well a flow complies to the imposed rate limit â€šÃ„Ã¬ Flow Compliance Factor (FCF) â€šÃ„Ã¬ is calculated as:
Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ FCF = B-send / (B-send + B-dropped)
FCF values range from 0 (if B-send=0) to 1 (if B-dropped=0 and B-send is not equal to zero). The higher FCF values means the better compliance with the imposed rate limit.
3.2.3 Traffic-Policing Component
See the Figure 2, the Traffic-Policing Component periodically receives:
- The rate-limited flow information (the Rate Limit Rules) from the Rate-Limiting Component (every Flow Observation Interval);
System Design Laboratory, Projects: Intrusion Detection
 http://www-106.ibm.com/ developerworks/webservices/library/co-emrld.html
IBM: EMERALDâ€šÃ„Ã´s component-based approach to network security
 See: http://r esearch.microsoft.com/users/tuomaura/Publications/hughes-aura-bishop-ssp00.pdf
WATCHERS is a distributed network monitoring protocol designed to detect and isolate these malicious routers which discards or misroutes packets that pass through the routers.
See: http://citeseer.ist.psu.edu/bradley97detect ing.html
WATCHERS is based on the principle of conservation of #ow in a network: all data bytes sent into a node, and not destined for that node, are expected to exit the node.
 Cisco Secure IDS Signatures watching for the DDoS attacks are:
Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ 6501 TFN Client
Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ 6502 TFN Server Reply
Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ 6503 Stacheldraht Client Request
Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ 6504 Stacheldraht Server Reply
Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ 6505 Trinoo Client Request
Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ 6506 Trinoo Server Reply
Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ 6507 TFN2K Control Traffic
Â¬ Â¬ Â¬ Â¬ Â¬ Â¬ 6508 mstream Control Traffic
 log: the process of recording everything pertinent to a machine run; or a collection of messages.
D-WARD: DDoS Network Attack Recognition and Defense
Book on DDoS
General Computer Security
Proposed Computer Defense System Could Protect Networks From Becoming Launch pads For Crippling Internet Attacks
D-WARD: DDoS Network Attack Recognition and Defense, Ph.D. Dissertation Prospectus, 2002.
Network Security Principles and Practices, author: Saadat Malik, Cisco Press, 2003, ISBN: 1-58705-025-0.
Cisco Secure Intrusion Detection System, Author: Earl Carter; Issued: October 2001; Publisher: Cisco Press, 1st edition; ISBN: 158705034X.
Senior Network/System Administrator, Ming Plaza Development
28925 Clear Spring Lane, Highland, CA 92346, U.S.A.
M.S. on Computer Science, California State University.
CCIE, CCNP, CCNA (Cisco/CCIE: passed the Qualification Exam);
SCSA, SCNA (Sun/Solaris: Certified System and Network Administrators);
SCJP, SCWCD (Sun/Java: Certified Programmer and Web Component Developer);
Also research on Network Attacks and Network Security:
Cisco IDS/Secure PIX (Intrusion Detection Systems and Firewall);
D-WARD, DoS/DDoS (Denial of Service/Distributed Denial of Service);
Mydoom/Doomjuice Worms and DoS/DDoS attacks.