Problem Statement:Collaborative Defense of DDoS Attacks

Introduction Distributed Denial of Service (DDoS) attacks have become a pervasive threat, causing significant disruptions to online services and networks. Collaborative mitigation strategies are needed to effectively counter these attacks. This problem statement aims to address the challenges and issues associated with collaborative defense against DDoS attacks.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

DDoS Attacks A Distributed Denial-of-Service (DDoS) attack is a method where multiple hosts are controlled to simultaneously target and disrupt the services, hindering legitimate users' access. DDoS attacks can be categorized into three main types based on their effects: resource exhaustion-based, link exhaustion-based, and network exhaustion-based attacks. Due to their low cost and significant impact, DDoS attacks have become increasingly popular, with attackers continuously improving their techniques and intensifying their attacks. The following trends characterize the evolution of DDoS attacks: * Increase in peak and average attack traffic, reaching terabit-level peak volume. * Rapid surge in attack traffic, capable of escalating to 800 Gbps within seconds. * Emergence of combination attacks as the mainstream approach, where attackers employ multiple attack methods concurrently or sequentially. * Continual emergence of new attack techniques, such as leveraging novel vulnerabilities or using innovative means to exploit weaknesses in defense systems. These evolving DDoS attack trends pose significant challenges to current DDoS mitigation systems.

Current Defense Landscape DDoS defense systems have been deployed at various nodes in the global network topology. From a network topology perspective, the deployment locations of DDoS defense systems can be classified as follows: * International ingress/egress points: These critical nodes handle the exchange of network packets between different countries and regions. Typically, they deploy DDoS mitigation capabilities like blackhole routing and BGP Flowspec. * ISP backbone and metropolitan networks: These networks possess abundant resources and robust mitigation capabilities to handle high-volume attacks. However, due to the substantial volume of network traffic, traffic analysis can be time-consuming. * Software service providers: As the last line of defense, these providers have detection capabilities for various attacks. However, limited resources are allocated for mitigation due to cost constraints. The internet is a highly complex and extensive network composed of numerous LANs (Local Area Networks). Different LANs have different owners, varying in scale and DDoS defense resource allocations.

The Necessity of Collaboration DDoS attacks have become an international threat, often traversing multiple LANs and involving various network operators, spanning different regions and countries. A global view of the internet is crucial for understanding the propagation behavior of malicious traffic. Moreover, in terms of DDoS attack mitigation, protecting the front-end of the malicious traffic propagation chain is more effective. This is because malicious traffic not only disrupts the services of target victims but can also impact critical links along the path, such as international ingress/egress points and interconnections between different ISPs. Additionally, with the increasing intensity and evolving tactics of DDoS attacks, relying solely on the defense capabilities at one network location is inadequate. Thus, collaboration among multiple defense systems upstream and downstream in the network is necessary. Based on the analysis above, we identify the following information that needs to be communicated through collaboration: * Attack details, including ongoing and historical attacks. * Malicious IP addresses or URIs. * Threat intelligence.

Existing Collaborative Methods The DOTS framework provides a foundation for collaborative defense DDoS attacks by facilitating threat signaling and coordinated mitigation actions. It enables the exchange of attack-related information, enhances situational awareness, and enables effective response coordination among involved parties. describes the technical framework of DOTS. and describe the communication methods between DOTS clients and servers. , , and others provide use cases for using DOTS and its communication methods.

Current Collaboration Challenges Through an analysis of practical issues encountered in DOTS applications, we have identified the following key challenges in current collaboration efforts: * Lack of consensus on attack definitions: Currently, there is no unified standard for categorizing and naming DDoS attacks. This lack of consensus regarding attack definitions may lead to misunderstandings between mitigators and requesters when transmitting collaborative information. Establishing attack definitions would help both parties better define collaboration requirements and available capabilities. * Absence of attack type-based collaborative data models: While DOTS provides parameters for describing attack details, the importance of specific attack detail parameters varies depending on the type of DDoS attack. For example, source IP address is crucial for reflection-based attacks but may not be necessary for flooding attacks. To enhance collaboration efficiency, it is essential to define collaborative data models based on attack types, including attack details and mitigation specifics. * Lack of specific scenario guidance for collaborative information transmission: Mitigation requesters often lack a comprehensive understanding of defense capabilities at different network locations. Providing guidance for collaborative information transmission methods based on specific collaboration scenarios allows mitigators to understand when to initiate mitigation requests and which mitigation capabilities they should offer. In conclusion, addressing these challenges will improve the effectiveness of collaborative DDoS mitigation and provide better protection against the growing threat of DDoS attacks.

IANA Considerations This document includes no request to IANA.

Security Considerations