Francis, Paul2007-04-042007-04-042006-12-08http://techreports.library.cornell.edu:8081/Dienst/UI/1.0/Display/cul.cis/TR2006-2060https://hdl.handle.net/1813/5753After many years of research, the Distributed Denial of Service (DDoS) problem remains essentially unsolved, both in industry and in research. Industry solutions rely primarily on beefing up the bandwidth near the attack target, and/or on intercepting traffic at proxies while keeping the target IP address secret. The former approach is expensive, and the latter amounts to "security through obscurity". Existing research solutions, on the other hand, have so far proven economically infeasible. We propose an architecture, called the firebreak, based on IP-level indirection. With firebreak, target IP addresses are simply unreachable from ISP customer networks and endhosts. Rather, IP packets are addressed to proxies deployed near the edge using IP anycast, and from there are tunneled using the target IP addresses. This use of IP indirection, as well as the use of IP anycast and tunneling to deploy firebreak, is the main research contribution of firebreak. This paper describes the firebreak architecture, discusses its pros and cons, and suggests directions for future work189960 bytesapplication/pdfen-UScomputer sciencetechnical reporttechnical report