DARPA going to extremes for DDoS defense

In the grand scheme of cyber things, distributed denial of service attacks might be considered mostly an inconvenience, but they are an inconvenience nonetheless—they might not steal information or infect a network, but they can make it inaccessible. And if a system is mission-critical, that can be more than an inconvenience.

The Pentagon’s research arm is looking for ways to lessen the blow, issuing a solicitation for what it calls Extreme DDoS Defense, or XD3. 

The U.S. Computer Emergency Readiness Team describes denial of service attacks as preventing legitimate users from accessing information or services such as email, websites, or accounts by targeting specific computers or networks. DDoS attacks commandeer other computers, as bots, and use them to distribute malicious activity by exploiting security weaknesses and vulnerabilities.

The Defense Advanced Research Projects Agency, which issued the solicitation, notes that while botnet-induced volumetric attacks that generate a significant amount of malicious traffic are the most common form of DDoS attacks, “low‐volume DDoS attacks can be even more pernicious and problematic from a defensive standpoint.”

Further, DARPA said that current DDoS defenses typically rely on a combination of network-based filtering, traffic diversion and scrubbing, otherwise described as replicating stored data, as a means to dilute volumetric attack.

What DARPA is seeking “fundamentally new DDoS defenses that afford far greater resilience to these attacks, across a broader range of contexts, than existing approaches or evolutionary extensions thereto.”

The fundamental shortfalls of general DDoS defenses, DARPA said, fall under the following deficiencies:

• Responses to DDoS attacks are too slow and manually driven, with diagnosis and formulation of filtering rules often taking hours to formulate and instantiate.
• Low‐volume DDoS attacks remain exceedingly difficult to identify and block with in‐line detection techniques. Even for volumetric DDoS attacks, in‐line filtering can present daunting tradeoffs between the desire for complete blockage of malicious traffic and the need to “do no harm” to legitimate communication (i.e., maximizing true positives while minimizing false positives).
• Mechanisms that rely on in‐line inspection of data flows may be problematic for handling encrypted tunnels, and pose scalability challenges as network bandwidths continue to increase.
• Defensive methods must be applicable to real‐time, transactional services (such as military command and control) as well as to cloud computing. Techniques that are only useful for protecting the storage and dissemination of quasi‐static data are insufficient.

The XD3 solicitation calls for two 18-month phases for the project and defines five technical areas for proposals:

Manageable dispersion of cyber resources. “The goal of XD3 TA1 is to devise and demonstrate new architectures that physically and logically disperse these capabilities while retaining (or even exceeding) the performance of traditional centralized approaches,” the solicitation stated.  DARPA stated that solutions under this technical area should strongly support a broad range of capabilities and scenarios that support interactive transactional services. 

Networked maneuver. XD3 will seek to develop new cyber agility and defensive maneuver techniques that improve resilience against DDoS attacks by overcoming limitations such as pre-conceived maneuver pans with no means of adapting to circumstances and exploring deceptive approaches to establish a false reality for adversaries.

Adaptive endpoint sensing and response. Low-volume DDoS attacks can be very effective and difficult to detect.  As such, XD3’s technical area three seeks to infuse potential DDoS attacks that include servers to adapt to operations in real time.  DARPA has set end-of-program goals for this technical area to “include a response time of 10 seconds or less, and at least a 90% recovery in application performance compared with hosts that do not have XD3 capabilities.”

Technology integration. This technical area will provide further opportunities for advances over previous defensive approaches as prior approaches have not considered the consolidation of goals sought in the three prior technical areas. 

Voice of the offense. Proposers under technical area five will sometimes be responsible for reviewing and testing system designs from performers in the first three areas. “The objective of design reviews is the proactive identification of weaknesses and vulnerabilities that would reduce the effectiveness of DDoS attack detection or mitigation,” the solicitation stated. “The objective of test plan reviews is to identify shortcomings in test scenario design, metrics, assumptions, and scope, as well as to apprise performers of potential DDoS attack methods or features that they might not have considered.”

DARPA was explicit in its announcement that the XD3 program doesn’t include detection and mitigation of DDoS-related malware. 

The response date is Oct. 13.