Printable Version of this PageHome PageRecent ChangesSearchSign In
D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks
Jelena Mirkovic
University of California at Los Angeles

This PhD thesis basically proposes a new approach to build a network security system. It takes a different direction to achieve a goal. This source-end defense system, called D-WARD, is located at networks that are hosting some of the attack machines, not the victims’ machines. D-WARD monitors and polices the outgoing traffic from those networks, thus controlling attacks. This system provides a highly selective response to distributed denial-of-service (DDoS) attacks, inflicting almost no damage to legitimate traffic. D-WARD needs to be installed at the network hosting attack machines, otherwise it will not be able to protect the legitimate clients from attacks.

This thesis begins with the summary of the DDoS problem. The author describes the basis of DDoS attacks. She also explains the characteristics of good DDoS defense in order to effectively protect the network. They are distributed, selective, adaptive and customizable. Then comes the D-WARD solution. D-WARD adheres to several principles that are main contributors to its good performance. Firstly, it makes very few assumptions. It is only aware of its policy address set and it observes symmetric traffic. Secondly, it detects legitimate, not attack behavior. The author argues that a system that detects malicious behavior becomes useless as soon as the attack changes and detecting legitimate traffic might be a better solution. Thirdly, it builds model based on protocol specification rather than on observed behavior. Next, it applies dynamic response. Due to the possibility of its observations and actions occasionally be wrong or the network conditions change, D-WARD frequently reevaluates its response and adjusts itself promptly to observations. D-WARD also has modular design, which enables easy modifications and integration with other defense systems. Lastly, it is an autonomous system. If D-WARD is integrated with other defense systems, it can achieve excellent performance in autonomous operation, as has been demonstrated in numerous experiments performed by the authors and by independent evaluators.

The author argues that to solve a distributed DoS problem requires a distributed solution. D-WARD is only one of the building blocks of the complete solution to enhance Internet security. D-WARD even shows the improved performance when combined with other defense systems.

I think the author did the job very well in explaining the basis of network security, the definition and goals of distributed denial-of-service attacks and the approach she took to describe how the system works so that the person who has little of knowledge in network security like me can easily understand the concepts. I like the source-end approach as it is an easy yet effective way to tackle network security problems. People in security community always think the way to protect the victims by installing the defense system at the victims’ ends, but this work just looked at the other way. The performance results are very thorough and detailed; the author experimented the D-WARD system with many kinds of attacks to make certain it really works. I also like that the author uses the protocol specification to catch the legitimate traffic instead of attackers’ traffic.

Last modified 24 November 2007 at 2:57 pm by panichsa