Secure collective defense system

In this paper, we present the design and implementation of the secure collective defense (SCOLD) system against distributed denial of service (DDoS) attacks. The key idea of SCOLD is to follow the intrusion tolerance paradigm and provide alternate routes via a set of proxy servers and alternate gateways when the normal route is unavailable or unstable due to network failures, congestion, or DDoS attacks. The BIND9 DNS server and its DNS update utilities are enhanced to support new DNS entries with indirect routing information. Protocol software for supporting the establishment of indirect routes based on the new DNS entries is developed for Linux systems. Experimental results show that SCOLD can improve the network security, availability and performance. Preliminary simulation results using NS2 indicate that the performance is scalable with respect to the indirect route initial setup overhead and processing overhead.