In this talk, I will discuss my work on defending against distributed denial of service (DDoS) attacks. Such attacks involve large numbers of compromised hosts (bots) that send unsolicited traffic toward a target, congesting the network links close to it rendering its services unusable. To address these issues, I propose a novel almost-stateless spread-spectrum-like paradigm, that exploits per-packet path diversity between each pair of communicating end-nodes by using a distributed overlay network. I will present an novel overlay architecture, which is based on this spread-packet approach, focusing on the system design, security and economic analysis, and the novel DoS-resistant authentication protocol used to authenticate end nodes.

I will show analytically that an Akamai-sized overlay can withstand attacks involving millions of "zombie" hosts while providing uninterrupted end-to-end connectivity. By using packet replication, the system can resist attacks that render up a large fraction of the nodes inoperable. Our experiments on PlanetLab demonstrate that in many cases end-to-end latency {\em decreases} when packet replication is used. Similarly, even when subjected to a large DDoS attack, a protected service remains fully operational experiencing only a small performance degradation in the end-to-end throughput. Contrary to most work in DDoS defense, our system is fully implementable and deployable on the current Internet.