Combining Speak-Up with DefCOM for Improved DDoS Defense

This work combines two existing defenses against distributed denial-of-service (DDoS) attacks - DefCOM and speak-up - resulting in a synergistic improvement. DefCOM defense organizes existing source-end, victim-end and core defenses into a collaborative overlay to filter DDoS floods. Source networks that do not participate in DefCOM often receive poor service and their traffic is severely rate-limited. This is because core nodes in DefCOM that perform filtering lack cheap algorithms to differentiate legitimate from attack traffic at line speed - they must conservatively assume all high-rate traffic from legacy networks to be attack. Thus, in its attempt to mitigate DDoS, DefCOM ends up denying service during attacks to legitimate hosts that reside in legacy networks. Speak-up is a recently proposed defense, which invites all clients of the DDoS victim to send additional payment traffic, with the assumption that attack machines are already sending close to their full capacity. Clients that send a lot of payment traffic are considered legitimate and whitelisted. Speak-up is relatively cheap to deploy at the clients and the DDoS victim, but since payment traffic needs to be sent continuously, this creates additional congestion at the victim, which is undesirable. We combine speak-up and DefCOM into a synergistic defense that addresses the shortcomings of the individual defenses and confirms the success of collaborative protection against DDoS attacks. Speak-up is integrated with core defenses in DefCOM and whitelists clients based on their payment traffic. Legitimate clients in legacy networks can thus be detected and served. Further, since Speak-up is implemented in the core, payment and attack traffic do not reach the victim and any undesirable congestion effects are localized to the vicinity of legacy networking.