Evaluating methods of defending Distributed Denial of Service Attacks. Our project will focus on evaluating current techniques or architectures of defending distributed denial of service (dDoS) attack in terms of the tradeoff to implement these techniques. Denial of service attack is considered to take place only when access to a computer or network resource is intentionally blocked or degraded as a result of malicious action taken by another user. These attacks do not necessarily damage data directly, or permanently, but they intentionally compromise the availability of the resource [5]. In distributed denial of service (dDoS) attack, an attacker could result in tens of thousands of concurrent attacks on one or a set of targets by using unprotected Internet nodes around the world to coordinate the attacks [3]. Many different methods were proposed to defend dDoS attacks. Three types of methods are summarized as follows: 1. Reactive defense methods, such as caching or replication, can defer the damage of dDoS attacks at the server side [1][9] in real time. However, these methods could not either identify the attackers or provide evidence to assign the liability. 2. Probabilistic IP traceback [8] seems a promising method to approximate the source of the attacks in denial of service attacks. If assigning liability of denial of service (DoS) attacks becomes a government policy, a legal concern or the baseline of cyber insurance [2], the technique to trace back the source would be very critical. However, this method imposes overhead on routers and may not be effective in the dDoS attacks [6]. In addition, saving logs of the IP packet headers could be an overhead to the victim site. 3. IP filtering [7] is another way of avoiding spoofed source IP but may not be useful of assigning liability. Our project will be consisted of the following parts: 1. Survey one of the above methods to understand the pros and cons of existing methods. 2. Design a simulation to evaluate the effectiveness of the methods in 1. We will identify a set of attributes that can describe the tradeoff made in each method and run experiments by varying these attributes. We are considering a simulation tool called OMNeT++ [10] to do the simulation because of its ability to generate network topology and do discrete event simulation. 3. In addition to surveying the current methods, we are interested in whether we can revise one of the methods to improve its effectiveness in terms of a practical set of attributes. Reference [1] S. Ali and J. Small, "SOAR - Self Organization and Recovery : A Solution to the Distributed Denial of Service Attack using Web Caching," Carnegie Mellon University 2000. [2] F. Buchholz, T. E. Daniels, B. Kuperman, and C. Shields, "Packet Tracker Final Report," CERIAS, Purdue University, West Lafayette, IN 2000. [3] CERT, "Results of the Distributed-Systems Intruder Tools Workshop," CERT Coordination Center, Pittsburgh, Pennsylvania, USA November 2-4 1999. [4] X. Geng and A. B. Whinston, "Defeating Distributed Denial of Service Attacks," in IEEE Professionals, 2000. [5] J. D. Howard, "An Analysis of Security Incidents on the Internet," in Department of Engineering and Public Policy,. Pittsburgh, PA: Carnegie Mellon Univeristy, 1998. [6] K. Park and H. Lee, "On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack," presented at Proceedings of IEEE INFOCOM, 2001. [7] K. Park and H. Lee, "A Proactive Approach to Distributed DoS Attack Prevention using Route-Based Packet Filtering," Department of Computer Science, Purdue Univeristy CSD-TR 00-017, Dcember 3 2000. [8] S. Savage, D. Wetherall, A. Karlin, and TomAnderson, "Practical Network Support for IP Traceback," presented at The 2000 ACM SIGCOMM Conference, Stockholm, Sweden, 2000. [9] J. Yan, S. Early, and R. Anderson, "The XenoService - A Distributed Defeat for Distributed Denial of Service," presented at Information Survivabiloity Workshop, 2000. [10] OMNeT++ Discrete Event Simulation System. Available at http://www.hit.bme.hu/phd/vargaa/omnetpp.htm.