Introduction
Distributed Denial of Service attacks are getting more and more sophisticated, pre-meditated and well coordinated. The attacks are more often than not focused on the core Internet infrastructure rather than isolated victims. The October 2002 attack on the 13 root servers emphasizes the increasing threat to the Internet and the readily available DDoS toolkits are making them more common.

Conventionally DDoS defense mechanism had been involving intensive manual procedures for identifying the physical entry points of the flooding traffic and inserting appropriate filters for mitigating the attack. Then this process had to be carried upstream and repeated until the source of the attack has been plugged. This laborious process required availability of highly skilled network professionals and was time consuming causing greater downtimes and associated costs. But this process is impractical for attacks involving hundreds of networks across the globe. This necessitates a system that could prevent, detect and give an autonomic response to an attack.

What are Autonomic Systems?
The vision of Autonomic Systems is to emulate the human immune system that can recognize error conditions and perform repair operations automatically. They are self-managing systems that can heal, protect, configure and optimize automatically.

The function of the human immune system can be mapped to an abstract model for the IT world - the autonomic cycle. The steps in this cycle are monitoring, event generation, event handling, measures and execution.

Monitoring: For gathering information about resource utilization, errors or events to control resources effectively. The information gathered will be used to predict future events or any abnormal deviations.

Event generation: To generate an event when a certain situation occurs. The decision to generate events is based on the information gathered by monitoring.

Event handling: Decides which measures should be taken as a response to the generated events.

Measures: Are a set of actions that have to be taken to deal with the situation.

Execution: Executing the measure brings a solution to the problem causing the situation.

How DDoS attacks work?
Distributed Denial of Service attacks take advantage of the fact that Internet resources are limited and the power of many can be utilized to choke the intended target.

In a DDoS attack there is an Attacker, Masters, Agents and the Victim. Agents also called Zombies remain passive until they get instructions from the Master. A Master can handle many Agents. A typical DDoS attack occurs in two phases:

Phase 1: In the first phase the attacker scans for vulnerable systems and installs passive Agents after compromising the systems. Thus any system in the Internet can inadvertently aid an attack.

Phase 2: In the second phase the attacker issues commands to the Master. The Master in turn instructs the Agents to carry out an attack against the intended victim. This is illustrated in the following figure.

Autonomic DDoS Defense
DDoS defense can be categorized into three areas - prevention, detection and response.

Prevention focuses on stopping attacks before they reach the intended victim. Detection explores various techniques for early detection of an attack. Response deals with methods to handle attack when an attack is detected.

Prevention
The best mitigation strategy is to stop the attack from occurring at all. This can be achieved with Ingress and Egress filtering. Most DDoS attacks spoof source IP addresses of attack packets. The source IP address of attack packets can be altered to prevent tracing of the attack source. Alternatively, the source address can be changed to that of the victim thus making the victim identify as an attacker. Such spoofed packets can be prevented by Ingress and Egress filtering. Ingress filtering will deny all incoming traffic with source address same as the intranet address or the source address not belonging to the Internet address space. Egress filtering will stop all outgoing packets with source address not in its assigned IP address range thus making sure no spoofed packets are transmitted from the network.In the present dynamic environment, autonomic systems should be able to differentiate legitimate and illegitimate traffic. Self-configuring and self-optimizing are two important attributes of an autonomic system. Autonomic systems should continuously monitor and make real-time changes in filters to reflect the changes in the environment.

Detection
Large-scale attacks can be readily identified in their final stages by observing very abrupt changes in network traffic. But in the early stages of an attack these changes are hard to detect and difficult to distinguish from normal traffic fluctuations. The key in mitigating an attack lies in detecting it early. Statistical data from performance variables and system events is accumulated. They give details like the traffic at any moment or the fluctuation due to a device failure.

Predictive algorithms use this data to predict the future performance, which gives an idea about the normal behavior at any point of time.

Attacks can be detected early by observing any deviations from the normal behavior, which is what change-point algorithms do. Autonomic systems employ statistical analysis of data from multiple layers of the network protocol; for detecting subtle changes in the network traffic that are unique to DDoS attacks.

Response
Once an attack is detected, the immediate response should be identifying the source of the attack and blocking it accordingly. Autonomic systems employ mathematical probability to identify entry points of attack packets. Packets are dropped randomly in routers one hop away. By analyzing the incoming packets, points (routers) through which attacks are coming are identified, and packets from that point are limited appropriately. Then this process is repeated with routers two hops away and so on until the source(s) of attack packets are limited. Thus by identifying the proper paths, all the entry points need not be limited giving better and faster recovery.

Conclusion
Autonomic system is an evolutionary step in managing functions in a heterogeneous IT environment thus freeing the IT professional from tedious processes. It uses predictive technologies that provide correlation among several IT infrastructure components. In addition to DDoS attacks, autonomic systems can guard against a variety of other attacks and provide other utility services. But autonomic responses to threats can themselves become attacking tools by making them believe a victim to be an attacker or by tricking two systems to counterattack each other. Emulating the human immune system to fight off attacks in a system like the Internet will take more time and technology to achieve.