DDoS Defense by Offense

TitleDDoS Defense by Offense
Publication TypeJournal Article
Year of Publication2010
AuthorsWalfish, M., Vutukuru M., Balakrishnan H., Karger D. R., & Shenker S.
Published inACM Transactions on Computer Systems
Other Numbers2814

This article presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth so can react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidths, which is the intended result.


This work was partially supported by funding provided through National Science Foundation grants CNS: 0225660 (“Robust Large-Scale Distributed Systems”) and CNS: 0520241 ("Internet Revolution through Flat Resolution"), by an NDSEG Graduate Fellowship, and by British Telecom. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the funders.

Bibliographic Notes

ACM Transactions on Computer Systems, Vol. 28, Issue 1, No. 3, pp. 1-54. A version of this article appeared in the proceedings of ACM Special Interest Group on Data Communications Conference (SIGCOMM 2006), Pisa, Italy, pp. 303-314, September 2006.

Abbreviated Authors

M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in journal or magazine