Middleware-based approach for preventing distributed deny of service attacks

In this paper, we extend our previous study on VPOE (Virtual Private Operation Environment) to provide the DDOS (distributed deny of service) prevention service in a distributed heterogeneous environment. We introduce our integrated middleware-based defense system to support this service with studying two important components middleware box and domain agent. Our technology includes the following: (1) We adopt network-based middlewares. The network-based middleware is realized by special devices inserted in various locations of the network. Middlewares in the system cooperate to achieve the defense mission objectives. (2) We take the generic primitive and role-based approaches. With the network primitives, middlewares are programmable entities and can change their roles during the system run-time according to the system defense requirements. (3) We take the generic signaling strategy. With the generic signaling control protocols, middlewares can cooperate with each other effectively to achieve the high defense performance globally. There are several advantages with our approach: (1) Middlewares provide transparent services to applications and make our solution both upward and downward compatible. Thus, our technology can be easily deployed with the current computing and communication infrastructure. (2) Our solution is highly efficient. By using the generic middleware box control protocols and network primitives, the middleware boxes can cooperatively share the countermeasure information and easily change their roles run-time to efficiently prevent DDOS attack. In this sense, our defense system can adaptively deploy the defense strategy according to the dynamic network attack situation. As a result, our technology is effective and can be used in a large system.