Middleware-based approach for preventing distributed deny of service attacks

We extend our previous study on VPOE (virtual private operation environment) to provide DDOS (distributed denial of service) prevention in a distributed heterogeneous environment (Wei Yu et al., IEEE Trans. on Systems, Man, and Cybernetics, 2002). We introduce our integrated middleware-based defense system to support this service by studying two important components, middleware box and domain agent. Our technology includes the following: (1) we adopt network-based middlewares which are realized by special devices inserted in various locations of the network and which cooperate to achieve the defense mission objectives; (2) we take generic primitive and role-based approaches; with network primitives, middlewares are programmable entities and can change their roles during the system run-time according to the system defense requirements; (3) we take generic signaling control protocols by which middlewares can cooperate with each other effectively to achieve the high defense performance globally. Middlewares provide transparent services to applications and make our solution both upward and downward compatible. Thus, our technology can easily be deployed with the current infrastructures. By using the generic middleware box control protocols and network primitives, the middleware boxes can cooperatively share the countermeasure information and easily change their roles in run-time to prevent DDOS attacks efficiently. In this sense, our defense system can adaptively deploy the defense strategy according to the dynamic network attack situation. As a result, our technology is effective and can be used in a large system.