DARPA Extreme DDOS Project Transforming Network Attack Mitigation

coondoggie quotes a report from Networkworld: Researchers with the Defense Advanced Research Projects Agency (DARPA) have quickly moved to alter the way the military, public and private enterprises protect their networks from high-and low-speed distributed denial-of-service attacks with a program called Extreme DDoS Defense (XD3). The agency has since September awarded seven XD3 multi-million contracts to Georgia Tech, George Mason University, Invincea Labs, Raytheon BBN, Vencore Labs (two contracts) and this week to the University of Pennsylvania to radically alter DDOS defenses. One more contract is expected under the program. [DARPA says the XD3 program looks to develop technologies that: Thwart DDos attacks by dispersing cyber assets (physically and/or logically) to complicate adversarial targeting, disguise the characteristics and behaviors of those assets to confuse or deceive the adversary, blunt the effects of attacks that succeed in penetrating other defensive measures by using adaptive mitigation techniques on endpoints such as mission-critical servers.]

Re:central control = vulnerability to attack

Network nodes and many distributed assets don't require central control though. As long as you can provide an unsaturated path to a node or asset you've thwarted a volume based DDOS. Send encrypted control parameters or configuration information across all paths to a node, as long as it gets there it doesn't really matter what path it takes.

Don't get me wrong, I know it's a hard problem. Replication always is. It definitely will be more difficult to manage and susceptible to new kinds of attack but that doesn't mean it won't be an improvement on the current situation.