Adapting intrusion detection systems to the
new distributed denial of service attacks

Panel Chair

        Jon David (Lehman Brothers)

Panel Participants:

        Robert Stone (UUNET Technologies, Inc)

        Vern Paxson (ACIRI/LBNL)

        Matt Blaze (AT&T Labs)

        John Ioannidis (AT&T Labs)

Panel Description

Distributed denial of service (DDoS) attacks made headlines in February by taking down major networks and services. They are quite possibly the single greatest threat facing the Internet today. The sharing of attack "enhancements" and the providing of attack tools via the web makes these attacks a growing threat.

This session presents the nature and elements of DDoS attacks, and discusses things to be done by users, system administrators, Internet Service Providers, and router vendors to best treat the prevention, detection and response to this threat. Key areas it will treat are:

We'll be discussing techniques and technologies that are proven (such as egress filtering, CAR & RED), in the works (such as the ICMP traceback, now an IETF Working Group), and possible (such as ERUF+ITRACE, not yet even proposed to the IETF).  DDoS attacks are not a problem with a fixed solution, and audience participation will be encouraged. 

Additional links:

The World Wide Web Security FAQ Section 11

Practical Network Support for IP Traceback,
     Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson,
     Department of Computer Science and Engineering, University of Washington,
     Technical Report UW-CSE-2000-02-01

Security Portal's Denial of Service (DoS) FAQ

The "stacheldraht" distributed denial of service attack tool
The DoS Project's "trinoo" distributed denial of service attack tool
The "Tribe Flood Network" distributed denial of service attack tool
    David Dittrich <>
    University of Washington
    Copyright 1999. All rights reserved.
    December 31, 1999