CoDef: Collaborative Defense Against Large-Scale Link-Flooding Attacks

Presenter: Min Suk Kang

Authors: Soo Bum Lee (Carnegie Mellon University), Min Suk Kang (Carnegie Mellon University), Virgil D. Gligor (Carnegie Mellon University)

Traditional DDoS attack target specific endpoints or servers. However, in recent years we have seen several attacks geared towards specific links, instead of a large number of hosts. Traditional flow filtering schemes are susceptible to these attacks because attack flows (which are typically low-rate, have diverse source/destination addresses, and are protocol conforming) are often indistinguishable from benign flows.

The proposed scheme (called CoDef) relies on collaboration among ASes. Attack source and target ASes are generally motivated to collaborate to curb this attack. CoDef uses collaborative rerouting in which target AS asks neighboring ASes to reroute traffic via other paths, essentially dispersing attack and benign traffic. If the attacker is aware of this reroute and it chooses to re-launch the attack by creating new flows, the attacker will be identified.

After collaborative rerouting, CoDef uses collaborative rate-control and path pinning (which were not discussed during the presentation). The evaluation was conducted using topology data from CAIDA. CoDef does not require changes to BGP or OSPF.

Q: Can CoDef identify attack source inside the attack AS?

A: No, CoDef would notify AS-owener/ISP.

Q: What is the cost of routing change employed by CoDef? Someone can abuse the system by false collaborative rerouting advertisements, how does CoDef cater for that?

A: We envision that CoDef will be a premium service. The costs of the service would hinder false use.