Defending against Distributed Denial of Service

Distributed Denial of Service (DDoS) attack is currently a serious problem in the Internet. It is characterized by an explicit attempt by an attacker to prevent legitimate users of a service from using the desired resource. The counter measures have been researched for some years, which can be classified into two categories, one is passive, and the other is active. We conclude that most current defense measures are passive, that is, the defense actions are taken only after the DDoS attacks are launched. Therefore, more or less, the target host or network is harmed before the attack source(s) can be found and controlled. Current passive defense techniques and their limitations are analyzed. We discuss some passive mechanisms such as traffic monitoring, filtering, and congestion control. After that, we propose a novel concept of active defense against DDoS attacks. This is a new point of view to treat the problem of defeating the infamous DDoS attacks on the Internet. It has numerous of advantages over conventional passive defense mechanisms. As an example of active defense, we introduce the Distributed Active Defense System (DADS) project at Deakin University. Challenges and future work of active defense against DDoS is discussed in the later part.