Abstract

Distributed denial-of-service attacks repre-sent a major security problem. The main task of defense systems is to accurately detect these attacks and quickly respond to stop the oncoming flood. It is equally important to recognize the legitimate traffic that shares the attack signature and deliver it reliably to the victim. Unfortunately, there is no single deployment point on the attack tree that successfully meets all three requirements. Detection of the attack is most accurate close to the victim, while the response and separation of legitimate traffic from the attack traffic is most successful close to the sources. Additionally, in partial deployment cases when many potential sources do not deploy a source-end defense, adequate victim protection can only be achieved by enlisting the help of backbone routers to constrain attack traffic. These factors clearly indicate that the DDoS problem requires a distributed cooperative solution. We propose a distributed system for DDoS defense, called DefCOM. DefCOM nodes span source, victim and core networks and cooperate via an overlay to detect and stop attacks. Attack response is twofold: defense nodes constrain the attack traffic, relieving victim’s resources; they also cooperate to detect legitimate traffic within the suspicious stream and ensure its correct delivery to the victim. DefCOM design has a solid economic model where networks deploying defense nodes directly benefit from their operation. DefCOM further offers a framework for existing security systems to join the overlay and cooperate in the defense. These features create excellent motivation for wide deployment, and the possibility of large impact on DDoS …

Date

December 18, 2025

Authors

Jelena Mirkovic, Max Robinson, Peter Reiher, George Oikonomou

Journal

University of Delaware CIS Department Technical Report CIS-TR-2005-02