Journal of Network and Systems Management

, Volume 12, Issue 1, pp 73–94 | Cite as

Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Attacks

  • G. KoutepasEmail author
  • F. Stamatelopoulos
  • B. Maglaris


We propose a cooperative intrusion detection framework focused on countering Distributed Denial-of-Service (DDoS) attacks through the introduction of a distributed overlay early-warning network. Our goal is to minimize the detection and reaction time and automate responses, while involving as many networks as possible along the attack path. The proposed approach relies on building a “community” of trusted partners that will cooperate by exchanging security information so that inclusion in the attack path is detected locally and without traceback procedures. The main building block is the Cooperative anti-DDoS Entity, a modular software system deployed in each participating network domain that supports secure message exchanges and local responses tailored to individual sites' policies. We discuss the operation and the implementation of a prototype, and we provide a survey of the methodologies against DDoS and compare our approach to related work.

Network security distributed management inter-domain multicast automated reaction 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    G. Koutepas, F. Stamatelopoulos, and B. Maglaris, Efficiency and performance issues in distributed intrusion detection systems, Applied Telecommunication Symposium 2002 (ATS 02), San Diego, California, April 2002.Google Scholar
  2. 2.
    D. Moore, G. Voelker, and S. Savage, Inferring Internet denial-of-service activity, Proc. Tenth USENIX Sec. Symp., 2001.Google Scholar
  3. 3.
    Minho, Sung, Markus, Haas, and Jun, Xu, Analysis of DoS attack traffic data, 2002 FIRST Conference (, Hawaii, June 2002.Google Scholar
  4. 4.
    R. Chang, Defending against flooding-based distributed denial-of-service attacks: A tutorial, IEEE Communications Magazine, pp. 42–51, October 2001.Google Scholar
  5. 5.
    J. Mirkovic, J. Martin, and P. Reiher, A Taxonomy of DDoS attacks and DDoS defense mechanisms, University of California, Technical Report#020018 2002. (Also available at Scholar
  6. 6.
    M. Behringer, Tracing DoS attacks, Hi Tech 2002 Workshop, Limmerick, IE, June 2002.Google Scholar
  7. 7.
    R. Manajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, Vol. 32, No. 3, pp. 62–73, 2002.Google Scholar
  8. 8.
    C. Estan and G. Varghese, New directions in traffic measurement and accounting, Proceedings of the 2001 ACM SIGCOMM Internet Measurement Workshop, pp. 75–80, (San Francisco, California), November 2001.Google Scholar
  9. 9.
    Cisco IOS NetFlow, Scholar
  10. 10.
    C. Kotsokalis, D. Kalogeras, and B. Maglaris, Router-based detection of DoS and DDoS attacks, HP OpenView University Association (HPOVUA) Conference '01, Berlin, Germany, June 2001.Google Scholar
  11. 11.
    K. K. Wan and R. Chang, Engineering of a global defence infrastructure for DDoS attacks, Proc. of IEEE International Conference on Networking, August 2002.Google Scholar
  12. 12.
    D. Sterne, K. Djahandari, B. Wilson, B. Babson, D. Schnackenberg, H. Holliday, and T. Reid, Autonomic response to distributed denial-of-service attacks, Proceedings of the Fourth International Symposium on Recent Advances in Intrusion Detection, RAID 2001, Davis, California, pp. 134–149, October 2001.Google Scholar
  13. 13.
    D. Schnackenberg, K. Djahandari, and D. Sterne, Infrastructure for intrusion detection and response, Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX II), Anaheim, California, January 2000.Google Scholar
  14. 14.
    A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer, Hash-based IP traceback, Proceedings of the ACM SIGCOMM 2001 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication,August 2001.Google Scholar
  15. 15.
    J. Ioannidis and S. Bellovin, Implementing pushback: Router-based defense against DDoS attacks, Network and Distributed System Security Symposium, NDSS '02, San Diego, California, February 2002.Google Scholar
  16. 16.
    S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical network support for IP traceback, Proceedings of the ACM SIGCOMM Conference, Stockholm, Sweden, pp. 295–306, August 2000.Google Scholar
  17. 17.
    D. Dean, M. Franklin, and A. Stubblefield, An algebraic approach to IP traceback, Network and Distributed System Security Symposium, NDSS '01, February 2001.Google Scholar
  18. 18.
    R. Stone, CenterTrack: An IP overlay network for tracking DoS floods, Ninth USENIX Security Symposium, Denver Colorado, August 2000.Google Scholar
  19. 19.
    K. Park and H. Lee, On the effectiveness of route-based packet filtering for distributed DDoS attack prevention in power-law internets, Proc. of the ACM SIGCOMM, 2001.Google Scholar
  20. 20.
    Trusted Introducer for CSIRTs in Europe, Scholar
  21. 21.
    K. Almeroth, The evolution of multicast: From the MBone to inter-domain multicast to Internet2 deployment, IEEE Network, January/February 2000.Google Scholar
  22. 22.
    D. Curry and H. Debar, Intrusion detection message exchange format data model and extensible Markup Language (XML) document type definition, IETF Internet Draft, draft-ietf-idwg-idmef-xml-10.txt, January 2003.Google Scholar
  23. 23.
    Sun Microsystems, Java Management Extensions Instrumentation and Agent Specification, v1. 2, February 2002. Scholar
  24. 24.
    K. Wan, An infrastructure to defend against distributed denial-of-service attack, M.Sc. Thesis, The Hong Kong Polytechnic University, June 2001.Google Scholar
  25. 25.
    Q. Zhang and R. Janakiraman, Indra: A distributed approach to network intrusion detection and prevention, Washington University Technical Report # WUCS–01–30, 2001.Google Scholar
  26. 26.
    D. Frincke, D. Tobin, J. McConnell, J. Marconi, and D. Polla, A framework for cooperative intrusion detection, Proceedings of the 21st National Information Systems Security Conference, pp. 361–373, October 1998.Google Scholar

Copyright information

© Plenum Publishing Corporation 2004

Authors and Affiliations

  1. 1.Network Management and Optimal Design Laboratory, Electrical and Computer Engineering DepartmentNational Technical University of Athens, ZografouAthensGreece

Personalised recommendations