DefCOM: Defensive Cooperative Overlay Mesh

A Distributed Overlay Defense to Distributed Denial-of-Service Attacks

Max Robinson, Jelena Mirkovic, Peter Reiher
{max, sunshine, reiher}
University of California, Los Angeles
Laboratory for Advanced Systems Research

Distributed Denial-of-Service (DDoS) attacks are a current serious threat to critical infrastructure services. DDoS attacks use a large volume of traffic, from many attacking sources, to deny the services offered by the victim of the attack. The problem is difficult because of the large numbers of remote machines used in the attack under different administrative control, the ability for the attackers to use false source addresses, and the difficulty for the victim to differentiate between legitimate and attack traffic. There are no commercial or research defenses to DDoS attacks that make any guarantees of continued service to legitimate clients of the victim during the attack.

The DefCOM project at UCLA proposes to design and build a distributed, cooperative network of routers that respond effectively to DDoS attacks, while making some guarantees of continued service for legitimate clients. The distributed routers will work together to detect DDoS attacks, and adaptively and selectively limit traffic at various points in the network destined for the victim, while offering priority service to legitimate traffic. We will demonstrate a prototype of the system using Linux software routers and Intel IXP fast programmable hardware routers. Further, we will research securing the system itself.


Matthew Beaumont-Gay. "A Comparison of SYN Flood Detection Algorithms," Proceedings of the Second International Conference on Internet Measurement and Protection (ICIMP), July 2007.

George Oikonomou, Peter Reiher, Max Robinson, and Jelena Mirkovic. "A Framework for Collaborative DDoS Defense," Proceedings of the 2006 Annual Computer Security Applications Conference (ACSAS 22), December 2006. Available in defcom.pdf.

Jelena Mirkovic, Max Robinson, Peter Reiher, and Geoff Kuenning. "Alliance Formation for DDoS Defense," Proceedings of the New Security Paradigms Workshop, ACM SIGSAC, August 2003. Available in PDF or postscript format.

See also the D-WARD related project publications.


M. Robinson, J. Mirkovic, and P. Reiher. ``DefCOM: Defensive Cooperative Overlay Mesh'' DARPA DISCEX-III, Washington, D.C. April, 2003. Live DDoS attack and distributed defense demonstration using Linux software routers. Poster.
Click diagram to enlarge.

The DefCOM project makes use of the NSF/DHS-sponsored DETER testbed to perform experiments.

This material is based upon work supported by the National Science Foundation under Grant No. 0430228. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.