The threat of distributed denial of service (DDoS) attacks has been well-recognized in the data networking world for two decades. Such attacks are orchestrated by sets of networked hosts that collectively act to disrupt or deny access to information, communications or computing capabilities, generally by exhausting critical resources such as bandwidth, processor capacity or memory of targeted resources. The nature of DDoS attacks can span a wide range. Botnet-induced volumetric attacks, which can generate hundreds of gigabits per second of malicious traffic, are perhaps the best-known form of DDoS. However, low-volume DDoS attacks can be even more pernicious and problematic from a defensive standpoint. Such attacks target specific applications, protocols or state-machine behaviors while relying on traffic sparseness (or seemingly innocuous message transmission) to evade traditional intrusion-detection techniques.
The current art in DDoS defense generally relies on combinations of network-based filtering, traffic diversion and ”scrubbing” or replication of stored data (or the logical points of connectivity used to access the data) to dilute volumetric attacks and/or to provide diverse access for legitimate users. In general, these existing approaches fall well short of desired capabilities in terms of response times, the ability to identify and to thwart low-volume DDoS, the ability to stop DDoS within encrypted traffic and the need to defend real-time transactional services such as those associated with cloud computing and military command and control.
DARPA’s Extreme DDoS Defense (XD3) program will focus on three broad areas of opportunity to improve resilience against DDoS attacks. The program aims to thwart DDoS attacks by: (1) dispersing cyber assets (physically and/or logically) to complicate adversarial targeting; (2) disguising the characteristics and behaviors of those assets through networked maneuver to confuse or deceive the adversary; and (3) using adaptive mitigation techniques on endpoints (e.g., mission-critical servers) to blunt the effects of attacks that succeed in penetrating other defensive measures. This research program will include formulation of new algorithms, demonstrations and field exercises with software prototypes, development of performance metrics to assess effectiveness and integration of systems across the three aforementioned areas to maximize overall defensive capabilities.