Publication Details

Title: DDoS Defense by Offense
Author: M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker
Bibliographic Information: ACM Transactions on Computer Systems, Vol. 28, Issue 1, No. 3, pp. 1-54. A version of this article appeared in the proceedings of ACM Special Interest Group on Data Communications Conference (SIGCOMM 2006), Pisa, Italy, pp. 303-314, September 2006.
Date: March 2010
Research Area: Networking and Security
Type: Article in journal or magazine
PDF: http://www.icsi.berkeley.edu/pubs/networking/ddosdefense06.pdf

Overview:
This article presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth so can react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidths, which is the intended result.

Acknowledgements:
This work was partially supported by funding provided through National Science Foundation grants CNS: 0225660 (“Robust Large-Scale Distributed Systems”) and CNS: 0520241 ("Internet Revolution through Flat Resolution"), by an NDSEG Graduate Fellowship, and by British Telecom. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the funders.

Bibliographic Reference:
M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker. DDoS Defense by Offense. ACM Transactions on Computer Systems, Vol. 28, Issue 1, No. 3, pp. 1-54. A version of this article appeared in the proceedings of ACM Special Interest Group on Data Communications Conference (SIGCOMM 2006), Pisa, Italy, pp. 303-314, September 2006., March 2010