FloCon 2017

Distributed Denial of Service (DDoS) attacks have grown dramatically in size over the last few years. Modern amplification attacks can easily generate over 500 Gbps of traffic, threatening companies, ISPs and cloud infrastructure. To help defend against these advanced threats, Galois is developing 3DCoP: a peer-to-peer (P2P) system that uses collaboration between networks to detect and mitigate malicious traffic. 3DCoP analyzes traffic and shares information about suspicious patterns, allowing the community of peers to detect and respond to threats before their networks are overwhelmed with traffic. Our simulations show that 3DCoP may be able to detect spoofed IP addresses and suppress
amplification-based DDoS attacks.

In our system, each network runs a 3DCoP node that monitors the traffic crossing their boundaries. The nodes are connected to each other over a decentralized P2P network, allowing messages to be exchanged out-of-band over various transport mechanisms as needed, giving resilience and flexibility under attack conditions.

With 3DCoP, different networks can exchange messages about their flows, effectively letting them talk about their traffic. This innovation leads to many interesting possibilities, and in this project we are focusing on using this flow-sharing to achieve DDoS defense. Even with a minimal deployment of 3DCoP nodes, it may be possible to mitigate DDoS attacks closer to their sources. This innovative system potentially gives small and medium sized networks the ability to defend themselves against even the largest scale DDoS attacks.

This project is the result of funding provided by the Science and Technology Directorate of the United States Department of Homeland Security under contract number D15PC00185. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security, or the U.S. Government.