Researchers with the Defense Advanced Research Projects Agency (DARPA) will next month detail a new program they hope will ratchet-up the way the military, public and private enterprise protect their networks from distributed denial-of-service DDoS attacks.
+More on network World: DARPA wants to toughen-up WAN edge networking, security+
The need for such new defenses is obvious: The number of distributed denial-of-service (DDoS) attacks in first quarter of 2015 more than doubled the number of attacks in Q1 of 2014 and attack sites are growing more dangerous, and more capable of launching attacks in excess of 100 Gbps, according to a recent Akamai Technologies State of the Internet Security report.
A clear need therefore exists for fundamentally new DDoS defenses that afford far greater resilience to these attacks, across a broader range of contexts, than existing approaches or evolutionary extensions, DARPA stated.
The DARPA program, called Extreme DDoS Defense (XD3) looks to :
- thwart DDoS attacks by dispersing cyber assets (physically and/or logically) to complicate adversarial targeting
- disguise the characteristics and behaviors of those assets to confuse or deceive the adversary
- blunt the effects of attacks that succeed in penetrating other defensive measures by using adaptive mitigation techniques on endpoints such as mission-critical servers.
DARPA says that the current art in DDoS defense generally relies on combinations of network-based filtering, traffic diversion and ”scrubbing,” or replication of stored data (or the logical points of connectivity used to access the data) to dilute volumetric attacks and/or to provide diverse access for legitimate users. In general, these existing approaches fall well short of desired capabilities in several respects because:
- Responses to DDoS attacks are too slow and manually driven, with diagnosis and formulation of filtering rules often taking hours to formulate and instantiate. In contrast, military communication often demands that disruptions be limited to minutes or less.
- Low-volume DDoS attacks remain exceedingly difficult to identify and block with in-line detection techniques. Even for volumetric DDoS attacks, in-line filtering can present daunting tradeoffs between the desire for complete blockage of malicious traffic and the need to “do no harm” to legitimate communication (i.e., maximizing true positives while minimizing false positives).
- Mechanisms that rely on in-line inspection of data flows may be problematic for handling encrypted tunnels, and pose scalability challenges as network bandwidths continue to increase.
- Defensive methods must be applicable to real-time, transactional services as well as to cloud computing. Techniques that are only useful for protecting the storage and dissemination of quasi-static data are insufficient.
For XD3 meeting details go here.
Check out these other hot stories: