| While we believe we have provided a good overview of many important aspects of the DDoS problem, there is a lot more information available than we could hope to fit into this book. Also, research into DDoS attacks and potential defense mechanisms is ongoing, and there is sure to be interesting new information available shortly after this book has gone into print, too late for inclusion. We will now tell you about a number of resources you can use to learn more about DDoS attacks and defenses and to keep up to date on the latest research and news in the field. The resources we will describe are in several categories. First, we will discuss Web sites that have useful information. Next, we will discuss mailing lists. Then we will talk about conferences and journals that typically publish DDoS-related research. 9.3.1. Web Sites CERT Coordination Center. One of the most important Web sites for getting information about any type of computer security problem is http://www.cert.org/. This Web site belongs to the CERT Coordination Center (CERT/CC), a university-based, government-supported organization that is tasked with keeping on top of newly emerging computer security problems and providing authoritative information about the nature of the problems. The CERT Coordination Center also helps provide information about measures that should be taken in response. The CERT Coordination Center Web site maintains a current list of known vulnerabilities and ongoing security problems, along with advice on fixing those problems. They have a repository of white papers and other information useful in understanding different forms of attacks and defensive mechanisms. The CERT Coordination Center performs research on survivability of computer systems in the face of various attacks, and many conclusions and results from this research are available from their Web site. The CERT Coordination Center also runs educational programs to train computer professionals in understanding and dealing with common security problems. The CERT Coordination Center was the first organization of its kind, founded in 1988, but it is by no means the only one in the world. In fact, the CERT Coordination Center has helped many incident response teams around the world get started by providing training, advice, and resource materials. For example, Australia's AusCERT and Germany's DFN-CERT were two of the first that the CERT Coordination Center assisted in getting started, and Japan's JPCERT Coordination Center was another that benefited from early CERT Coordination Center help. The CERT Coordination Center was a founding member of FIRST (Forum of Incident Response and Security Teams; http://www.first.org/), which now has over 100 members. There are more than 300 incident response teams worldwide. The CERT Coordination Center Web site is the first place to go to seek assistance in handling a security problem you are not familiar with, including brand new attacks that have suddenly popped up on the network. They produce quick, reliable, detailed reports of new types of attacks. The CERT Coordination Center also has a mailing list through which it delivers alerts of new attacks as soon as they have been verified and properly characterized. Dave Dittrich's DDoS Web page. One of the authors of this book maintains a Web page that contains links to large numbers of pages containing interesting material related to DDoS at http://staff.washington.edu/dittrich/misc/ddos/. This page focuses particularly on DDoS attack tools, but contains much useful and interesting information on other aspects of DDoS attacks and defenses, including research papers, white papers analyzing particular attacks and tools, links to Web sites of commercial providers who sell DDoS defense products, news stories on DDoS attacks, articles and papers offering advice on protecting against DDoS attacks and related security problems (such as IP spoofing), discussions of legal issues concerning DDoS, and links to Web sites belonging to other DDoS researchers. Dshield. Dshield gathers information about new and ongoing attacks from various sources and provides attack characterizations and other relevant information. This Web site's primary purpose is to disseminate firewall rules to allow people to filter out new attacks as quickly as possible, but they provide a wide variety of other interesting and useful information about the kinds of attacks going on at the moment and the latest techniques for handling those attacks. Dshield's home page is http://www.dshield.org/. CAIDA. CAIDA, the Cooperative Association for Internet Data Analysis, does precisely what its name suggests: It gathers and analyzes data concerning the performance of the Internet. CAIDA is not specifically dedicated to DDoS measurement, but has done work on measuring the prevalence of DDoS attacks in the Internet [MVS01], and analysis of DDoS attacks is well within their charter and areas of interest. More recently, they published an analysis of a large DDoS attack on SCO. Their Web site has both of these resources posted, and may feature future work on measuring DDoS. CAIDA's home page is http://www.caida.org/.
9.3.2. Mailing lists SANS. The Systems, Audit, Network, and Security Institute (SANS) provides information about many issues of properly installing, running, and maintaining computers and networks. Their Web site (http://www.sans.org) contains much interesting and useful information, but the SANS Newsbites newsletter is of particular interest. This newsletter is published weekly and delivered by e-mail to its subscribers. Several editors (who include some of the most respected names in computer security) scan the recent world news concerning issues of computer security and provide short descriptions of the most important stories, usually with Web links to the original, full-length versions. While not limited to stories on DDoS, major DDoS attacks and significant new developments in DDoS defense mechanisms are usually covered in this newsletter. To subscribe, you need to set up a free account at the SANS Web portal: https://portal.sans.org/login.php. SANS also publishes a weekly summary of known security flaws in various hardware and software systems called @Risk: The Consensus Security Vulnerability Alert. Generally, this newsletter does not directly discuss DDoS issues, but it may highlight vulnerabilities that will allow attackers to enlist particular machines as agents for DDoS attacks, or semantic-level problems that allow denial of service on particular systems without flooding. It is a good resource for keeping track of which of your systems might need patching. It can be subscribed to in the same way as SANS Newsbites, described above. Cryptogram. Bruce Schneier, a noted author and researcher on issues of computer security, publishes a monthly newsletter called Cryptogram, also usually delivered by e-mail. This newsletter contains Web links to many important recent stories on issues of computer security, but it represents a more definite editorial voice and opinion than SANS Newsbites, whose primary goal is to bring important news to the attention of readers. Cryptogram does not concentrate on DDoS issues, but frequently contains stories on the subject. For more information on Cryptogram, including subscription information, go to http://www.counterpane.com/cryptogram.html. IEEE Cipher. This newsletter is distributed by the IEEE Computer Society's Technical Committee on Security and Privacy. It contains announcements of upcoming conferences in the field, summaries of important results reported at such conferences, book reviews, and other materials of interest to those working in the computer security field. It is produced bimonthly, and you can obtain more information on its contents and how to subscribe by visiting http://www.ieeesecurity.org/cipher.html. RISKS Digest. The ACM Committee on Computers and Public Policy produces a digest of important information concerning risks faced by various users and groups due to reliance on computer and networking technology, moderated by Peter G. Neumann. Many of these risks arise from security concerns, some of them from DoS threats. RISKS Digest can be read over the Web (at http://catless.ncl.ac.uk/Risks) or through a moderated network newsgroup (comp.risks). If these options are not open to you, visit http://catless.ncl.ac.uk/Risks/info.html#subs for other ways to subscribe to this digest.
9.3.3. Conferences and Workshops There is no single conference or workshop devoted to research on DDoS attacks and defenses. Instead, papers on these subjects tend to appear in the major computer security conferences and many leading networking conferences. Since these conferences cover a much broader range of topics, one must look through a conference program or proceedings to pull out the papers related to DDoS, but nowadays it is common for most of the conferences listed below to have one or more DDoS-related papers each time they are held. Many of the most important papers on DDoS issues were published by one of these conferences. IEEE Symposium on Security and Privacy. Held annually, typically in May. This conference covers the entire range of security research, but often contains some papers on DDoS. For example, the 2003 IEEE Symposium on Security and Privacy contained a paper on using puzzle auctions to defend against DDoS [WR03]. For further information, go to http://www.ieee-security.org and search their conference list. USENIX Security Symposium. Held annually, typically in summer. This conference covers the entire range of computer security problems, so DDoS papers appearing here often prove to be important and influential. For example, USENIX 2001 contained a paper on inferring the frequency and characteristics of DDoSattacks using the backscatter technique [MVS01]. For further information, go to http://www.usenix.org/events/. Annual Computer Security Applications Conference. Held annually, typically in December. This conference tends to concentrate on security at the application level, but has broad coverage of security issues. For example, ACSAC 2003 contained a paper discussing an extension of IP traceback techniques to deal with reflector attacks [CL03]. For further information, go to http://www.acsac.org/. Infocom. Held annually, typically in March or April. This is a large conference covering all topics in networking. For example, Infocom 2001 contained a paper on authentication of marking for traceback solutions to DDoS [SP01]. For further information, go to http://www.ieee-infocom.org/. ACM SIGCOMM Conference. Held annually, typically in August. This conference covers the entire range of networking topics and sometimes will have papers on DDoS issues. For example, SIGCOMM 2002 contained the SOS paper describing that DDoS defense system [KMR02]. For further information, go to http://www.acm.org/sigcomm/sigcomm.html. IEEE International Conference on Network Protocols (ICNP). Held annually, typically in October or November. This conference covers the entire range of networking topics and sometimes has papers on DDoS issues. For example, ICNP 2002 contained a paper on the D-WARD DoS defense system [MPR02]. For further information, go to http://www.ieee-icnp.org/. Network and Distributed System Security Symposium (NDSS). Held annually, typically in February in San Diego, California. NDSS covers a wide range of issues concerning network security, including DoS issues. In recent years, the symposium has typically published one or two papers on DoS issues each year. For example, a major paper on implementing the pushback defense strategy appeared in NDSS 2002 [IB02]. For further information, go to http://www.isoc.org/isoc/conferences/ndss/. New Security Paradigms Workshop (NSPW). Held annually, typically in September. This workshop looks for papers on very new issues in computer security and is most likely to publish papers on entirely new approaches to DDoS defense. The papers are more typically about ideas and approaches than completed systems or studies. For example, NSPW 2003 contained a paper on forming alliances between DDoS defense nodes [MRR03]. For further information, go to http://www.nspw.org. BlackHat Briefings. Several conferences, held internationally each year. This venue concentrates on practical solutions to real security problems, drawing an audience of working professionals in the fields of networking, system administration, and security. This conference is more likely to draw attendees from the hacker community than some of the more academically oriented conferences. For more information, go to http://www.blackhat.com/. CanSecWest. One conference, held in Vancouver, British Columbia, Canada, each year (plus a new Asia-Pacific version held in Japan). This venue concentrates on computer security research of various forms, both theoretical and practical, drawing a similar audience to that of the Black Hat Briefings. Its single-track model, held over three days, allows everyone to hear every talk. For more information, go to http://www.cansecwest.com/. The IEEE Information Assurance Workshop. Held annually, typically in June, at the U.S. Military Academy at West Point, New York, (also known as the "West Point Workshop"). This conference covers the entire range of information assurance research, including papers on DDoS, information warfare, etc. For further information, go to West Point's Web site: http://www.itoc.usma.edu/workshop/. The USENIX Technical Conference. In addition to the Security Symposium mentioned previously, the USENIX Association holds a general annual technical conference, typically in June or July. This conference has papers and tutorials on hot and important topics in operating systems, networking, and related areas, including security. Some papers on DDoS defense may appear in this conference. For more information, go to http://www.usenix.org/. The USENIX Association runs a wide variety of conferences on topics in systems and networking areas, and sometimes runs one-time workshops or starts new conferences on hot topics, so it is worthwhile to look at their Web site's list of upcoming conferences occasionally. The same observation is true of the ACM and IEEE.
9.3.4. Magazines and Journals A number of publications often contain useful articles on DDoS attacks. We will not cover newspapers and popular magazines directed to the general community, though these may sometimes contain useful articles on DDoS, but will concentrate on the more technical publications. ACM Transactions on Information and System Security (TISSEC). The Association for Computing Machinery's main journal on security issues. Covering the entire range of security issues, ACMTISSEC will only occasionally contain articles on DDoS, but they are likely to be detailed versions of important work. For example, one of the major articles on IP traceback appeared here in an extended version [DFS02]. For more information, go to http://www.acm.org/pubs/tissec/. IEEE Security and Privacy. A relatively new magazine that publishes articles that combine technical depth with good comprehensibility by a typical computer professional. This publication is likely to have surveys, general descriptions of problems and solutions, and articles helping readers to understand general problems rather than more academic articles on detailed descriptions of particular systems. For more information, go to http://www.computer.org/security/. IEEE Transactions on Dependable and Secure Computing. A new publication starting in 2004 that will publish scholarly papers on fields of reliability and security. Since it is a recent publication, describing what will appear there is premature, but it seems likely to be a premiere venue for high-quality work on security threats and defences, including DDoS characterization and defense. For more information, go to http://www.computer.org/tdsc/index.htm. Journal of Computer Security. This journal covers a broad range of computer security issues, and may sometimes contain papers on DDoS issues. For more information, go to http://www.csl.sri.com/programs/security/jcs/. IEEE/ACM Transactions on Networking. A highly respected publication that prints academic papers on all aspects of networking. Some issues may contain papers on DDoS issues. For example, one issue of IEEE/ACM Transactions on Networking contained a paper on single-packet IP traceback [SPS+02]. For more information, go to http://www.ton.cc.gatech.edu/. Computer Communications Review. This magazine issued by the ACM emphasizes quick publication of timely information on important new topics in networking. Some issues may contain papers on DDoS issues. For more information, go to http://www.acm.org/sigcomm/ccr/. USENIX ;login:. This bimonthly publication is included in all USENIX Association memberships, and covers a wide range of topics concerning the design, administration, and use of Unix and Linux systems. It publishes many articles that are helpful for system administrators of Unix machines, including occasional articles on DDoS topics. For more information, go to http://www.usenix.org/publications/login/.
|
