Justifying a Policy Based Approach for DDoS Remediation: A Case Study

Transcription

1 Justifying a Policy Based Approach for DDoS Remediation: A Case Study Azman Ali, Alberto Schaeffer-Filho, Paul Smith and David Hutchison Computing Department, Lancaster University, UK {a.ali, asf, p.smith, dh}@comp.lancs.ac.uk Abstract Following the outbreak of conflict between Russia and Georgia and the infamous collapse of the Estonian network infrastructure in 2007, Distributed Denial of Service (DDoS) attacks have emerged as a new political weapon. In response to this, and anticipating the vulnerability of banking, energy and communications systems to Internet attacks, the US government, NATO and many other technology-oriented organizations have started initiatives to strengthen cyber defence and improve resilience in both military and public infrastructure. DDoS scalability, dynamic and elusive behaviour have motivated much work that focuses on detection and the defence strategies that are applicable for specific symptoms of attacks. We aim to improve on this by attempting a way of allowing dynamic execution of strategies to combat DDoS by exploring the use of policy. Policy enables separation of management strategy from implementation, so that operation would not be disrupted by any change of policy and at the same time allowing remediation strategies or policies to be evaluated, learned, analysed, refined and negotiated. In this paper, we compare some key literature on remediation with some of the current practices based on our case study. We highlight some issues and remediation techniques used by an ISP operator to verify the feasibility of using policy as remediation. We discuss some initial results of our experiment to integrate an established toolkit for policy (Ponder2) with our simulated network topology and range of attacks running on a SSFNet simulation platform. Keywords DDoS Attack, Policy, Resilience, Remediation. I. INTRODUCTION The Internet affects many aspects of our lives, both social and work, and of the businesses that we have come to rely on. Driven by the strong benefits the Internet has to offer, many telecommunication providers are already converging multiplatform legacy infrastructures to a common Internet Protocol (IP) platform. Hence, the Internet is fast becoming the basis for the next generation of telecommunications, and is already recognised as a significant critical infrastructure. Motivated by this, we believe that ensuring resilience is a problem needs to be addressed immediately. Network resilience is the ability of the network to provide and maintain an acceptable level of service in the face of various faults and challenges to normal operation [3]. It is a combination of trustworthiness (dependability, security, performability) and tolerance (survivability, disruption tolerance, and traffic tolerance). One aspect of resilience, remediation, is defined as an activity in which actions are autonomously taken to enable operations to continue as well as possible and to mitigate damage [2]. Achieving resilience is not an easy task if we take into account a large number of possible events that could cause disruption to network operation. One of the serious threats increasingly seen on the Internet is the Distributed Denial of Service (DDoS) attack. In a DDoS attack, the attackers exploit the highly distributed Internet resources from all over the world to produce a highly scalable, dynamic and complex type of attack that aims to take down communication services. One approach to deal with such a dynamic attack is by the use of policy. Separating policy from the implementation of a system permits the policy to be modified in order to dynamically change the strategy for managing the system and hence modify the behaviour of a system without changing its underlying implementation [4]. Using policy as our approach will open up a new horizon for the study on DDoS remediation through exploration of many interesting subjects in the policy domain, such as policy learning, analysis, negotiation, evaluation and others that would lead to more accurate and continuous improvement of remediation strategies. The objective of the study reported in this paper is to understand the feasibility of exploring policy as our approach to DDoS remediation through a case study of current practices in the industry. In the next section, we describe some of the related work in this area. We then discuss some of the issues and threats to the network, highlighting some operational issues and current best practices in dealing with them through our case study. We use Telekom Malaysia, a Malaysian based ISP, for this case study because one of the authors has direct experience within the organization. We explain our initial work on the network simulation platform in experimenting how policy can be used to change the behaviour of the network without actually modifying the underlying implementation. At the end of this paper, we discuss some the insights and future work that might follow. II. BACKGROUND AND RELATED WORK In general, much research on resilience has been focused on specific techniques and platforms. For example, Sterbenz et al [5] proposed a mechanism that can be used to select multiple paths between a given ingress and egress node pair, and Achim et al [6] discussed in detail IP network resilience, centred on MPLS based recovery mechanisms. Trivedi et al [7] presented definitions of resilience for computer and network systems, and constructed a resilience model for dependability and performance. Current and recent international research projects such as ResumeNet [10], Intersection [11] and ANA [12] focus on the area of resilience. ResumeNet is evaluating an architectural approach and a set of mechanisms to achieve Internet resilience that is multilevel, systemic, and systematic. The Intersection project, on the ISBN: PGNet

2 other hand, aimed to design and implement an integrated security framework made of different subsystems and components providing network and infrastructure security, while the ANA project [12] proposed a way of building a novel autonomic network architecture that enables flexible, dynamic, and fully autonomous formation of network nodes, as well as whole networks. In the ResumeNet [10] project, several labs that share similar interests in resilience are collaborating and coordinating efforts to provide many detailed outcomes on resilience, which includes architecture, framework, strategy, terminology and many related issues. Our approach to resilience is based on the Resilinets strategy [3], which defines six activities, namely Defend, Detect, Remediate, Recover, Diagnose and Refine. This strategy (as illustrated in Fig. 1), allows us to define our actions in a more structured manner and provides, we believe, a good framework for resilience. Fig. 1. General strategy for Resilience D 2 R 2 +DR [3] We aim to focus on remediation and to study how it can be applied to help mitigating Distributed Denial of Service (DDoS) attacks. Based on many work on DDoS mitigation, no studies that we have known were aimed to mitigate DDoS attacks as part of a complete resilience strategy. Some examples are dfense [13], a middlebox to catch the DDoS and stop traffic, DARE, an adaptive mitigation system [14] that focus on the mitigation of the predominant DDoS TCP SYN and UDP Flooding attacks and DefCOM [15], a distributed system for DDoS defence, which are deployed and cooperate via an overlay to detect and stop attacks. Such techniques might serve their own purpose but there is still a lack of discussion on how these techniques could be coordinated with other techniques and contribute towards a complete strategy for network and service e resilience. Our approach for remediation aims to mitigate DDoS in a coordinated, autonomic and adaptive manner, taking into account their impact on overall resilience on network, the service or any other layers (such as network stability, useability, security and performance). Some research on DDoS has also focused on DDoS taxonomy, metric and benchmarking [9]. According to the study by Markovic et al [9], their proposed taxonomy was not encompassing and a review on defence e mechanisms needs to be done from time to time to include new type of attacks. Markovic et al [9] proposed that the Internet community must be equally cooperative within itself to counter the DDoS threat. In a survey of DDoS attack and defence mechanisms, Peng [8] concluded that the ideal solution would optimistically demand attention from lawmakers, and global cooperation can be enforced by legislative measures for more effective effort. From these taxonomy and survey, we believe that a more dynamic way of DDoS remediation which promotes collaboration and involvement from decision makers will hypothetically resolve the concern. Hence, in order to produce an effective remediation for DDoS, there is a need to assess the strategy, to learn and improve and perhaps to collaborate with other networks which have inspired us to explore the use of policy. Policy on the other hand is an established domain of research. A project on Diadem Firewall uses similar policy-based approach for firewall configuration [16]. The project aimed to protect broadband services through the use of policy by reacting to detected violation such as DDoS attack. While the work on Diadem firewall showed some initial work on how policy (instrumented using Ponder2) can be used as remediation, the key differences from our approach lies in the overall goal of what policy is being used for, the scope, and the type DDoS attacks it can remediate. Firstly, in Diadem Firewall project, policy was used to change the configuration of the firewall appliance, rather than being used towards deploying a complete resilience strategy such as D 2 R 2 +DR. Secondly, it is a device based solution which is likely applicable le in the LAN infrastructure (we discuss in our case study how in actual operation, appliance based solution such as IPS could be limited by the hardware limitation). We, on the other hand, aim to focus on how policy can use to strategize remediation in the context of an ISP, keeping a view on the whole underlying implementation of an ISP infrastructure rather than specific segment in the network. Thirdly, Diadem was also successfully deployed to remediate against SYN attack, but we aim to extend our scope to cover broader type of attacks including volume based attacks and the more updated type of DDoS. Thus, in our approach, the whole components that build an ISP infrastructure will be treated as managed objects and not limited to any particular devices or network segment. By doing this, we believe that remediation can be achieved in more comprehensive manner. The exploration of policy in resilience is discussed briefly in [1], where the strategy for capitalizing policy in resilience was first outlined. By separating policy from the underlying implementation, we believe would be able to capitalized on some interesting features offered by policy, such as policy conflict resolution and analysis [18], policy learning [19] and policy refinement [20][21], hence, will answer some questions raised in the DDoS defence e survey and taxonomy discussed earlier. III. CASE STUDY Background Telekom Malaysia (TM) is the second largest telecommunication provider in South East Asia and is currently Malaysia s largest Internet Service Provider. In 2008, TM was appointed by the Malaysian Government to develop the next generation high speed broadband infrastructure and services for the nation in the RM11.3 billion national high speed broadband project. With its defined target of achieving

3 50% broadband penetration by 2010, the program aims at making high-speed affordable broadband available to high density economically critical areas. In March 2010, after successful deployment of IP core infrastructure (NGN), TM launched its new NGN services and is currently migrating its services to the new NGN infrastructure. Today, TM owns more than 70% Malaysian broadband market and offers full range of telecommunication services including global IP services, commercial datacenters, Voice over IP, IPTV and a range of Enterprise IP services. Problem Space With all the services migrated to IP infrastructure, two major problems remain the major concern and need to be addressed more seriously. Distributed Denial of Service attacks (DDoS) remain a constant threat to TM s Enterprise and Commercial Datacenter services while botnet has increased its coverage among the broadband users. In the first Quarter 2010 for example, 6 cases of DDoS attacks on datacenters have been reported by the abuse team with the volume increased significantly from 200Mbps to 800Mbps during this period. In some cases, the attacks exhausted the router processers by sending some small packets despite its small bandwidth utilization. The attacks were targeting some of the popular services such as government, banking, hosting services, gaming. Botnet on the other hand, was seen as a time bomb that is built up with capability to generate more or similar DDoS attacks from within the TM network infrastructure. With currently 70,000 and increasing, the broadband users are suspected to host bot agents, and some effective solution needs to be deployed immediately. The real challenge for TM is to manage its international link and routing efficiently during an attack which can be easily cannibalized by DDoS traffic, causing disruption to all other users. On the other hand, it needs to protect its enterprise and datacenter customers who are the common target of attack and at the same time needs to suppress the growing threat of botnet. Operational Issues A high scale disruption caused by DDoS attack could easily affect TM operation. Such attack could cause losses in financial through paying rebates, and productivity, because of the amount of effort and resources that need to be utilized to deal with the attacks. In some high profile cases, company s reputation is also at stake. These losses are hard to be quantified and justified and often end up as lowest priority in management decision list. The raising numbers of bot agents in the ISP network for example, could hardly prove the need for some serious investment since botnet hosts or traffic are normally harmless most of the time and only become active when needed. Introducing a new technology to overcome the problem would also mean that the price of the services needs to be increased to cover the cost of infrastructure. This will be the last thing the management want to commit especially in a limited Internet market size in Malaysia. Although breaching of service level agreement due to service degradation caused by DDoS attacks could also have some financial implication, the definition of disruption or performance degradation is still arguable. Therefore, a well scrutinized service level agreement and policy is always handful in protecting the Service Provider from any legal action from the customers. In fact, the argument might be true given that the actual attack is normally targeting the customers rather than the infrastructure as it would take a lot a lot of resources to bring down an ISP backbone. In this case, policy would be a useful tool to differentiate different types of service level offered to the customers. Apart from policy, remediation of DDoS attack also demands the presence of highly expert, experienced or well trained personnel as attack behaviour changes dynamically over time and the resources such as bandwidth need to be utilized efficiently. In most of the incidents, multiple mitigation strategies need to be executed concurrently, which combines a blend of known mitigation mechanisms that the analyst think are appropriate. The deployment of remediation must also be done as fast as possible to ensure the service level is met. This is why, a good processes and procedure need to be devised, especially when the endorsement from higher authority is required. Processes and procedure help to provide a good description about the role, the flow of process and the timeline for the tasks to be executed. These processes, procedure and policies need to be jointly prepared by the experts and the management and reviewed from time to time. Unfortunately, experts are not always easy to maintain. In this industry, as an expert engineer would rarely stay in one organization for years. Well developed policies, process and procedure are therefore seen as good ways to preserve the expertise and experience within the organization and to reduce impact due to people leaving the company. DDoS attacks are meant to overwhelm resources, which are mainly limited by hardware capability such as low processing power (most of the routers have between 512MB to 1GB of RAM), small link bandwidth or limited software features on the routers. Often these limitations are being compensated by deploying third party devices such as Intrusion Prevention tools, packet shaping tools or firewall. However, these technologies could not offer any guarantee because despite the hardware or links upgrade (which implicate the operator financially), DDoS attackers can always garner resources from the Internet to improve the scale of the attacks. Hence, equipping the organization with well trained personnel and good processes and procedure are seen as the key for more feasible and comprehensive remediation against an attack. In conclusion, from the operational perspective, the human, process and technology factors needs to be adequately addressed to help mitigating DDoS attacks. Current Remediation and Options Current defence mechanisms include the deployment of packet shaping tools all over networks and intrusion prevention systems at the datacenter perimeter. Despite the deployment all of these technology, attacks can still take place

4 especially because of human limitation. Sometimes, in a larger scale attack, traffic would not even reach these devices since it would be dropped at the router interface due to overwhelming flow of malicious traffic. In some complex cases, data from these devices often or needs to be analysed and escalated to the vendor s Technical Access Center (TAC) which will be normally time consuming. DDoS attacks are monitored using Arbor Netflow analyser which monitors traffics at the border of the ISP network. As a passive device, netflow analysers like Arbor does some decent job and capable in supplying basic information such as top link utilized, top source/destination, top application and many more, but the rest of the work lies on the shoulders of security analysts and the engineers. Other more common mitigation techniques, such as sinkhole techniques are also being used most of the time, but it requires some manual configuration and proper authorization before it could be deployed. With limited human resources and expertise, the engineers are currently attempting to set up a sinkhole infrastructure that can be easily triggered by non expert engineer with some proper authorization. Acknowledging the importance of human and process in the loop, TM has also engaged in several ISO certification program such as ISMS and ITIL to ensure the proper implementation and execution of policy and procedure by the human operators. In a long run, the upgrade to new Next Generation Network (NGN) infrastructures could presumably reduce the hardware and link limitation problems since it runs on a newly developed IP Core infrastructure featuring multigigabit links and high end routers, but the concern about DDoS attacks, botnet and the needs for human and process in the loop, remains. TM has also engaged in external collaboration either directly or indirectly in its effort to mitigate DDoS and botnet problems. Apart from monitoring the anomaly in the network, TM also relies on other services such as reputational database, and complaints it receives from various network providers throughout the world. These complaints also come from Network Registries such as APNIC, RIPE, ARIN etc and from local or international Computer Emergency Response Team (CERT). Some research based organizations like Team-Cymru for example help to sample the traffic from the honeypot and supply some tagged data to help TM to identify botnet host and traffic within the network. Currently Malaysia is identified as top 10 countries with the highest botnet hosts in the network [17]. Another service such as scrubbing service by Prolexic [24], offers to handle DDoS traffic before it floods the ISP s international link by tapping the traffic at various international points which are close to the well known source or DDoS attacks. Once triggered, suspected traffic will be diverted to Prolexic s network, where the traffic are scrubbed or filtered before redirecting it back to the ISP. This will help TM to preserve the international bandwidth from being flooded with the bad traffic. However initial detection and triggering services need to be done by the ISP. This service is currently under evaluation and could be some alternative for DDoS remediation. Discussion ISP operation relies on the collaboration and information from various sources to help identifying threats on its own network. This process is currently performed manually but a more automatic approach would be desirable in the future. The human element cannot be overlooked in this matter. Lack of expertise and some unpredictable human mistakes could also be a threat to resilience. Mistakes, however, can be reduced through a well executed policy and process. The need for intelligence in devising strategies for DDoS remediation would also mean that processes and policies need to be continuously assessed and learned from time to time. In an event like DDoS, response time is critical and a delay could cause financial implications to the organization. Thus a well developed policy and process could help in making complex decision and eventually reduce dependencies on particular individuals or experts. Based on the case study, DDoS remediation is also limited by the technology (financially and feature wise). For some countries, investing in network-wide deployment of appliances to remediate DDoS would cost a fortune, and its Return on Investment (RoI) is not easily quantified. Thus, remediation might need to be approached as a revenue generating service. By implementing and enforcing policy, some paying customers might be given the protection while the rest might need to settle for some basic level of service. The purpose of doing this is to entice the management to be more involved in solving the DDoS and botnet threat in the network as well as providing some more economical approach to this matter. In our approach, driven by the high level policy requirement such as Service Level Agreements (SLAs) or Key Performance Indicators (KPIs), policy will then need to be refined and translated for actual execution. Many of the operational issues in solving DDoS and botnet issues also mainly circle around human, process and technology. The workaround of these issues hence needs to cover the three aspects which bring us to explore policy as a governing mechanism. Apart from being economical compared to hardware investment, policy helps to separate the management from the underlying implementation which means devising policies and strategies can be done without disrupting operation. This key attribute of policy allows the prospect for collaboration, learning and refinement, making policy a good candidate to address all the issues in hand. IV IMPLEMENTATION Based on our case study, we conduct an experiment to explore the use of policy in DDoS remediation. Initial tasks for this experiment include building an ISP topology for the network simulation, identifying the simulation and the policy tools to be used, and preparing the integration between them. A. Topology The network topology (Fig. 2) used in our simulation was based on an example Internet Service Provider (ISP) network.

5 The ISP context is used as it represents complete infrastructure elements that could be potentially exposed or being compromised during a DDoS attack. The variety of elements supports the scalability for future experimentation. Fig.2 An abstraction of Telekom Malaysia ISP's topology, physical resources and logical components for the resilience strategy[1] This topology contains a network with multiple regions (Northern, Southern, Western and Central), interconnected via a backbone ring (backbone facilities run on OSPF routing protocol and assigned area0, while other regional area run on OSPF area 1,2 and 3 respectively). The central regions consist of border routers linked to other ISPs via BGP routing protocol. Each regional network hosts a server farm which is a potential victim or destination of an attack, a thousand broadband or Digital Subscriber Line (DSL) users which could be the originator or source of attack, and an Enterprise network which may be the source or destination of an attack. An attack can also be simulated from and to the external destination beyond the ISP network. The link bandwidth in this topology represents some typical bandwidth size such as multi-gigabit link for backbone and server farms, E1 connection for enterprises and multiple 1Mbps for DSL users. B. Toolset SSFNet Scalable Simulation Framework (SSF) is a simulation tool for complex systems built on Java and C++ [22]. It provides facilities to model a network through the SSFNet package which comprises of Java packages. It includes models of protocols such as IP, TCP, UDP, BGP, OSPF and many network elements such as routers, host, links, network interface card and other scenario oriented model such as DDoS, worm propagation, campus network, multi-as network etc. The simulation is mainly used for simulating traffic from layer 3 (IP layer) and above. The configuration or topology of the network model is defined in a DML formatted files. In our simulation, the topology described in Fig.2 is configured in a DML file. Ponder2 Ponder2 [23] is a policy tool that comprises of java-based object management nt systems that can be used for a general purpose usage. Ponder2 has been applied in many different environments including devices, health monitoring systems, distributed systems and many more. There are two types of policies, the obligation policy and authorization policy. Obligation policy define how an event(e), that meet certain conditions(c) triggers an action(a), also known as ECA rule. Authorization policy, on the other hand, controls interaction between managed object. Ponder2 is configured using PonderTalk, a language age used to control Ponder2 instances and capable of passing the message between objects. Policies are written in term of managed objects that can be created and customized to allow Ponder2 to interact with various software or hardware. The purpose of this interaction is to enable policies to be executed without the need to change the configuration of hardware or software that it controls. C. Ponder2 and SSFNet Integration One of the key factors for selecting SSFNet as our simulation platform is because of the need to integrate with Ponder2 which is built on Java platform. Our initial work on the integration is to instrument selected objects in SSFNet to allow Ponder2 to communicate later on. This section contains some examples of configurations on the SSFNet package and configuration of Ponder2 is currently in progress. public class RateLimiter implements nicbitrater,remediationinterface { private static String objname = RateLimiter.class.getSimpleName();...} Fig. 3 : A new class called RateLimiter was created A new class called RateLimiter (Fig. 3) was introduced with a method called applyremediation (Fig. 5). At runtime, this object will be registered into RMI registry (Fig. 4) to allow Ponder2 to perform the lookup and communicate with SSFNet. public RateLimiter() { try {//export and register this objectremediationinterface stub= (RemediationInterface) UnicastRemoteObject.exportObject(this, 0); Registry registry = LocateRegistry.getRegistry(); registry.rebind(this.objname, stub); System.out.println(this.objName + " is ready"); } catch (RemoteException re) { re.printstacktrace();} } Fig. 4: RateLimiter constructor registers object in RMI registry public void applyremediation() throws RemoteException { final double newbitrate; System.out.println("Remediation \"" + this.objname + "\"" applied... RateLimit"); newbitrate= limit*fornic.bitrate();.. }= new RateLimiter(this); Fig. 5: A method applyremediation is created in RateLimiter.

6 Modification was also done to include limiter as a new parameter (Fig. 6) which was then used in our DML configuration (Fig.7). System.err.println(cfg.findSingle("limiter")); Configuration xcfg = (Configuration)cfg.findSingle("limiter"); if (xcfg!= null) createbitrate(xcfg); else bitratemanager = new RateLimiter(this); Fig. 6: Configuring nic.java (network interface card module in SSFNet). router [ id 20 interface [id 0 limiter[use eu.resumenet.mechanisms.remediation.ratelimiter] latency 0.0]...] Fig. 7: Configuring interface using limiter Currently we are working on the integration with the policy framework. We then expect to use this toolset to evaluate policy-based strategies for the remediation of DDoS attacks. IV. CONCLUSION AND FUTURE WORK In our case study, we discussed some of the issues and current remediation techniques from the operational point of view. The needs for approach that supports collaboration, refinement, learning and separation of management from underlying implementation have motivated us to explore the use of policy for remediation. By using policy in our approach, we would be able to coordinate DDoS remediation in a more dynamic and autonomic manner, hence resilience can be achieved in more efficient and comprehensive ways. This initial work on integration (SSFNet and Ponder2) would provide a good starting point for further exploration of policy for remediation. Other prospects of policy such as policy analysis, conflict resolution, refinement, evaluation, learning and negotiation can be further studied to improve many areas in our resilience strategy D 2 R 2 +DR and remediation in particular. This approach can also be applied on other testbeds and environments such as DETER [8] or other simulation platforms for the purpose of evaluation and benchmarking. V. ACKNOWLEDGEMENT The research presented in this paper is based from the short paper entitled Strategies for Network Resilience: Capitalising on Policies which is scheduled to be presented at the AIMS Conference, in Zurich in The initiative of exploring policies for Resilience is partially funded by the European Commission in the context of the Research Framework Program Seven (FP7) project ResumeNet (Grant Agreement No ). The project has also been supported by the EPSRC funded India-UK Advanced Technology Centre in Next Generation Networking. The author would also like to thank Telekom Malaysia, as a co-sponsor, for the access and support in our case study and Yayasan Khazanah as the main sponsor for the study on Techniques for Network Resilience. VII. REFERENCES [1] Paul Smith, Alberto Schaeffer-Filho, Azman Ali, Marcus Scholler, Nizar Kheir, Andreas Mauthe and David Hutchison, Strategies for Network Resilience: Capitalising on Policies, accepted, to appear in 4th International Conference on Autonomous Infrastructure, Management and Security (AIMS 2010). [2] J.P.G. Sterbenz, D. Hutchison, E.G. Cetinkaya, A. Jabbar, J.P. Rohrer, M. Schöller, and P. Smith, Resilience and Survivability in Communication Networks: Strategies, Principles, and Survey of Disciplines, accepted, to appear in Computer Networks (COMNET), Special Issue on Resilient and Survivable Networks, Elsevier, [3] D. Hutchison, J. Sterbenz (2008), Resilinets Architecture Definition, [Online] Available at: [4] Damianou, N., et al.,the Ponder Policy Specification Language, Policies for Distributed Systems and Networks, Proceedings, 2001: p [5] Justin P. Rohrer, Abdul Jabbar, and James P.G. Sterbenz, Path Diversification: A Multipath Resilience Mechanism, Proceedings of the 7th IEEE International Workshop on the Design of Reliable Communication Networks (DRCN)(2009). [6] Autenrieth, A. and A. Kirstadter, Engineering End-to-End IP Resilience Using Resilience-differentiated QoS, IEEE Communications Magazine, (1): p [7] Trivedi, K.S., D.S. Kim, and R. Ghosh, Resilience in Computer Systems and Networks, in Proceedings of the 2009 International Conference on Computer-Aided Design, 2009, ACM: San Jose, California. p [8] Peng, T., C. Leckie, and K. Ramamohanarao, Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems, ACM Computing Surveys, (1): p. -. [9] Mirkovic, J., et al., A User-Centric Metric for Denial-of-Service Measurement, in Experimental Computer Science. 2007, USENIX Association: San Diego. p [10] ResumeNet Website, (2009) [Online]. Available at: [11] Intersection Project Website, (2007) [Online]. Available at: [12] ANA Project :[Online], Available at: [13] Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang dfence: Transparent Network-based Denial of Service Mitigation, USENIX Symposium on Networked Systems Design & Implementation (2007), p [14] Thing, V.L.L., M. Sloman, and N. Dulay, Adaptive Response System for Distributed Denial-of-Service Attacks, 2009 IFIP/IEEE International Symposium on Integrated Network Management (IM 2009) Vols 1 and 2, 2009: p [15] Jelena Mirkovic, Max Robinson, Peter Reiher, George Oikonomou, Distributed Defense Against DDoS Attacks, University of Delaware CIS Department Technical Report CIS-TR , [16] Diadem Project Website (2005), Documentation and Publication, [Online]. Available at : [17] Team CYMRU (2009).[Online]. Available at: [18] Taghrid Samak, Ehab Al-Shaer, Hong Li, QoS Policy Modeling and Conflict Analysis, policy, pp.19-26, 2008 IEEE Workshop on Policies for Distributed Systems and Networks, 2008 [19] Domenico Corapi, Oliver Ray, Alessandra Russo, Arosha Bandara, and Emil Lupu, Learning Rules from User Behavior, Artificial Intelligence Applications and Innovations III /2009 p [20] Arosha K Bandara, Emil Lupu, Jonathan Moffett, Alessandra Russo, A Goal-based Approach to Policy Refinement, in Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks. 2004, IEEE Computer Society. p [21] A. Bandara, E. Lupu, A. Russo, Policy Refinement for DiffServ Quality Of Service Management, Integrated Network Management, IFIP/IEEE International Symposium (2005) p [22] SSFNET Website (2002). [Online]. Available at: [23] Ponder2 Website at Imperial Policy Group [Online]. Available at: [24] Prolexic Network Protection Service. [Online]. Available at: