CED3: Comparative Evaluation of DDoS Defences

DDoS defence validation provides a way to capture the usefulness of defensive solutions to one of the most notorious Internet attacks of our generation. A uniform method of defence evaluation, enables not only the individual assessment of defences but, if well formed, offers a valuable mechanism by which different DDoS defences can be objectively analysed and commensurably compared. Success in this area would not only enable individual organizations to make better individual decisions on which defences to implement, but would facilitate inter-organizational collaboration for the improvement of national infrastructure. This paper presents CED3 (pronounced “Seed”), a DDoS defence evaluation methodology that enables objective comparison of DDoS defences. Instead of gauging a defence’s effectiveness by testing it under benchmark scenarios that are formed independently of the defence in question, CED3 starts with theoretical analysis that considers “metrics of distinction” to identify relevant tests. This approach enables CED3 to more completely evaluate defences by capturing both strengths and limitations. CED3 introduces the notion of “true effectiveness” in a defence’s evaluation, which encapsulates not just the performance of a defence under test but also the cost to an attacker necessary to overcome that defence. Lastly, CED3 provides a taxonomy-based defence-map, using which a defence’s scope and evaluation performance can be more clearly visualised. The CED3 methodology was applied to three notable defence schemes: capacity enlargement, Passport and TrustGuard and the formulated. Tests were performed via simulation, using the NS-3 software executing on a high performance computing cluster, and comprised of hundreds of thousands of CPU hours. The resulting comparative evaluation, discussion and conclusions are presented in this paper.