A collaborative approach to facilitate intrusion detection and response against DDoS attacks.

Abstract

Intrusion detection and response systems (IPSs) for protecting against distributed denial-of-service (DDoS) attacks will beneflit significantly if all the routers within each autonomous system (AS) are capable of detection and response in addition to sampling. However, DDoS detection and response will incur high storage and processing overhead if each router does redundant detection and response tasks. Many overlay communication protocols have been introduced in the literature to achieve coordination among the routers but they generally have high communication overheads. Furthermore, DDoS detection and response requires that all the flows intended to the same destination be analyzed together in order to efficiently capture the correlation between them. In order to do that, current approaches centrally collect all the sampled data and analyze them, which also increases the communication overhead. In this paper, we present a collaborative approach to distribute the sampling, detection, and response responsibilities among all the routers within the AS in such a way that each router can detect and respond to DDoS attacks. Our proposed approach achieves coordination among all the routers in the network to eliminate redundant sampling, detection, and response tasks without exploiting any specific communication protocol. We propose an optimal assignment of disjoint flows to each of the routers within the ASs in such a way that all the flows destined for the same host will be sampled, analyzed, and properly responded at the same router. Each router can thus capture the correlation between flows destined for a specific destination.