Overfort: Combating DDoS with peer-to-peer DDoS puzzle

Abstract

The Internet community has been long convinced that distributed denial-of-service (DDoS) attacks are difficult to combat since IP spoofing prevents traceback to the sources of attacks. Even if traceback is possible, the sheer number of sources that must be shutdown renders trace-back, by itself, ineffective. Due to this belief, much effort has been focused on winning the "arms race" against DDoS by over-provisioning resources. This paper shows how Overfort can possibly withstand DDoS onslaughts without being drawn into an arms race by using higher-level traceback to DDoS agents' local DNSes (LDNSes) and dealing with those LDNSes instead. Overfort constructs an on-demand overlay using multiple overlay-ingress gateways with their links partitioned into many virtual links - each with different bandwidth and IP - leading to the server to project the illusion of multiple server IPs. An attacker will be faced with the daunting puzzle of finding all the IPs and thereafter the confusion of how much traffic to clog each IP with. Furthermore, Overfort has a mechanism to segregate LDNSes that are serving DDoS agents and restrict them to a limited number of IPs thus saving the other available IPs for productive use. Both proliferation of access channels to the server and LDNS segregation mechanism are the key components in Overfort to defend against DDoS with significantly less resources.