We propose research to develop a complementary pair of Distributed Denial of Service (DDoS) defense mechanisms, both operating in a collaborative mode between victims and upstream providers or peer networks. For initial detection of possible DDoS attack conditions, we rely on reuse of existing work, but primarily focus on utilization of techniques that are built up on Softward-Defined Networking (SDN) mechanisms. SDN plays a large role in the first response mechanism proposed in this research. We will develop a means for network service providers to securely delegate control of their forwarding plane logic to specific customers, using the concept of hierarchical forwarding tables. This will be implemented within systems implementing recent OpenFlow specifications. With proper configuration of the hierarchical forwarding table rules, per-customer rulesets can be provisioned, invoked, and managed by the customers themselves without negative impact to other customers. Since this is only effective at pushing defenses up one-level among collaborating administrative domains, we propose to develop a means of relaying verifiable and authenticable inter-domain, we also propose to develop a means of relaying verifiable and authenticable inter-domain notification of detected attack parameters, bootstrapped upon the Secure Inter-Domain Routing (SIDR) or BGPSEC mechanisms. Using messages signed with the existing Resource Public Key Infrastructure (RPKI) developed for BGPSEC, attack reports can be securely flooded across the inter-domain routing system, and acted upon as deemed appropriate by each provider. Commercialization plans leverage the popularity of SDN upgraded planned across the industry and the contribution to open standard work necessary protocol extensions.
