Typical Distributed Denial of Service (DDoS) attacks are used to render key resources unavailable, such as disrupting an organization’s website and temporarily blocking a consumer’s ability to access the site. A more strategic attack may render a key resource inaccessible during a critical period. Financial institutions, news organizations and providers of Internet security resources can all experience DDoS attacks. All organizations that rely on network resources are considered potential targets.

Approach

To achieve the program’s mission, multiple research projects are being conducted across three topic areas:

• Measurement and Analysis to Promote Best Current Practices
• Tools for Communication and Collaboration
• Novel DDoS Attack Mitigation and Defense Techniques.

Measurement and Analysis to Promote Best Current Practices

Some DDoS attacks make use of spoofed source addresses. Existing best practices filter out forged addresses at the network periphery. Additional best practices extend this guidance to more complex deployments. The collection of anti-spoofing best practices could help mitigate DDoS attacks that rely on forged addresses. Measurement and analysis tools are required to test whether new anti-spoofing deployments are successful, verify existing anti-spoofing practices are working correctly, and provide evidence to demonstrate both advantages and limitations when anti-spoofing best practices are deployed in an organization.

Project Performers

Prime: University of California San Diego (Principal Investigator (PI): Kim Claffy)

• The University of California San Diego (UCSD) effort aims to measure and improve the use of source address validation (SAV) in the Internet. In many cases, an attacker can send Internet packets using a false source address. In other words, the attacker falsely reports the packets are coming from a company, organization, or government agency when in fact the packets are coming from the attacker. A number of denial of service attacks rely on the use of forged source addresses, and forged addresses make tracing the real source of attacks more difficult. SAV techniques could prevent this behavior if they are more broadly deployed and measured. The UCSD team proposes to research, develop, test, and demonstrate new tools and methodologies to monitor and promote SAV. If successful, the effort will increase the deployment of SAV across the Internet, making some attacks no longer possible and making many other attacks easier to defend against.

Tools for Communication and Collaboration

The distributed nature of the DDoS attacks provides several advantages to the attacker. An attack often comes from a large number of compromised computers that span multiple organizations. Further, as network bandwidth and computational power increases, the attacker benefits from the increased resources, providing the capability to conduct more powerful attacks. To counter the threat, organizations that make use of network services must invest in resources that keep pace with the increasing significance of the attacks. Organizations that fail to keep pace run the risk of being overwhelmed. In addition, organizations that deploy resources carelessly may simply provide the attacker with easily compromised resources that can then be used in future attacks. Even organizations with global scale capability, including those providing security related services, have faced challenges in keeping pace with vast DDoS attacks.

Project Performers

Prime: University of Southern California Information Sciences Institute (ISI) (PI: Jelena Mirkovic)

Prime: Colorado State University (PI: Christos Papadopoulos)
Subcontractor: NoFutzNetworks (PI: John Reumann)
Subcontractor: University of New Mexico (PI: Michalis Faloutsos)

Prime: University of Oregon (PI: Jun Li)
Subcontractor: UCLA (PI: Peter Reheir)

Prime: Galois (PI: Jem Berkes)
Subcontractor: Spamhaus

Prime: Waverley Labs (PI: Juanita Koilpillai)
Subcontractor: Cloud Security Alliance (PI: John Yeo)

• University of Southern California Information Sciences Institute (USC-ISI) will develop a generic interface between Internet Service Providers (ISPs) and other networks for attack diagnosis and mitigation, which enables Internet communications. Called SENSS (Software dEfiNed Security Service); this technology will allow end-users to observe and control their own traffic and routes within the ISP, helping them to anticipate a DDoS attack. The USC-ISI proposal suggests that deployment at 30 leading ISPs may eliminate 94% of attacks.
• Colorado State University will build NetBrane (network membrane) for cloud-based services. While cloud-based security services offer some protection from DDoS, current solutions cannot benefit everyone. Many organizations, such as government, military and financial organizations, need to tightly control their data, which is incompatible with cloud services. To bridge this gap NetBrane, a defense service that takes advantage of the desirable properties of cloud-based services, but allows customers to keep their data locally.
• The University of Oregon plans to create a cyber “DrawBridge” that can be used to block DDoS attack traffic from attacking an organization. Currently, individual organizations are not able to manage the traffic flow to their network because this function is managed by the Internet Service Provider (ISP). By implementing the drawbridge at the ISP traffic point, this project will allow the organization to work closely with the ISP to stop undesirable traffic to the organization’s network. The coordination of efforts between the ISP and the organization will give the organization an advantage in the event of a DDoS attack.
• The Galois team will develop a DDoS response solution based on communication software, deployed at multiple organizations. Due to the massive size of modern DDoS attacks, medium-sized organizations face difficulties mitigating the damage if they act alone. Recognizing the need for organizations to collaborate in order to withstand such attacks, the Galois team will develop a DDoS response solution based on communication software that lets them collaborate. The DDoS traffic details are shared through peer-to-peer software, giving the teamed organizations the benefit of mutual detection and a unified defense to block attacks originating from thousands of locations.
• Waverley Labs will work collaboratively with the international Cloud Security Alliance to develop new tools and techniques for defending against DDoS attacks. The key results of this effort will be made available to the general public through open source software releases. Once this open source project is complete, federal organizations, critical infrastructure providers, and organizations that rely on cloud delivery will all be able use the results to develop cloud services that are resistant to DDoS attacks.

Novel DDoS Attack Mitigation and Defense Techniques

This technical topic area seeks to address new variations of denial of service attacks. Denial of service attack concepts are being directed at a growing range of services. For example, in spring 2013, DHS and the Federal Bureau of Investigation (FBI) issued warnings for denial of service attacks targeting emergency management services, such as 911 systems. Systems including, but not limited to, mobile devices, cyber physical systems, and critical infrastructure components are all potential targets for these attacks. Further, new variations of denial of service attacks exploit vulnerabilities, such as overwhelming power supplies, software vulnerabilities, and other features. Too often the response to new types of attacks and targets is reactive; attackers develop new techniques and/or target new systems and this drives mitigation efforts. Ideally, new techniques and new targets would be anticipated and defenses would be proactively developed before large scale attacks occur. Therefore, the goal of this thrust area is to identify potential targets for DDoS that have not been subject to known large scale DDoS attacks, and to develop DDoS mitigation capabilities that will be able to withstand a DDoS attack that is double in magnitude from the capabilities of the target’s DDoS defense capability at the beginning of the project. Emergency management systems and cyber physical systems are examples of non-traditional targets that are vulnerable to denial of service and most relevant to this topic area.

Project Performers

Prime: University of Delaware (PI: Haining Wang)
Subcontractor: Ohio State University (PI: Xiaorui Wang)
Subcontractor: IBM (PI: Xin Hu)

Prime: University of Houston (PI: Weidong (Larry) Shi)
Subcontractor: SecureLogix (PI: Mark Collier)
Subcontractor: FirstWatch (PI: Todd Stout)
Subcontractor: Industry Council for Emergency Response Technologies (PI: George Rice)

• The University of Delaware project aims to address new types of malicious attacks that target data centers. New system attacks differ from conventional DDoS attacks in terms of their purpose, methodology, and effects. Instead of flooding the victim servers, their traffic behaviors will mimic those of normal users. However, data centers may incur more serious damage from these attacks than conventional DDoS attacks since they aim to create energy, power, and thermal emergencies. Systems will be better secured by using accumulated data analytics; these will allow operators to more accurately track irregularities, along with changes in energy consumption per client, server power consumption, and the relation to increases in server temperature. A better understanding of established baselines will lead to faster identification of unexpected system changes, and thereby speed up operator reaction time.
• The University of Houston-led research team will be working to develop mitigation strategies that are low cost, based on open standards, and can significantly strengthen the resilience of emergency response systems against DDoS attacks. The proposed solution leverages the cloud computing model by providing on-demand networking and computing capacities when requests suddenly surge. In addition, the team plans to employ context-based automated smart interactive response (SIR) to verify the validity of emergency calls.

For more information on this topic visit the BAA website.

News

Press Releases and Media Advisories

• DHS S&T Awards $14 Million for Cybersecurity Research, September 2015
• DHS S&T Awards $2.7M to Colorado State University for Cyber Security Research, September 2015
• DHS S&T Awards USC Information Sciences Institute $1.8M Contract for Cyber Security Research, September 2015
• DHS S&T Awards University of California San Diego $1.3M for Cyber Security Research, September 2015
• DHS S&T Awards Portland Company $1.7M Contract for Cyber Security Research, September 2015
• DHS S&T Awards $629K to Waterford Company for Cyber Security Research, September 2015
• DHS S&T Awards University of Houston $2.6M for Cyber Security Research, September 2015
• DHS S&T Awards University of Delaware $1.9M for Cyber Security Research, September 2015
• DHS S&T Awards University of Oregon a 1.38M Contract for Cyber Security Research, August 2015

Contact

Program Manager: Dan Massey

Email: SandT-Cyber-Liaison@hq.dhs.gov