1 Cybersecurity Symposium 9/19/2003 chow C. Edward Chow Yu Cai Dave Wilkinson Department of Computer Science University of Colorado at Colorado Springs.

Slides:

Advertisements

Similar presentations

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Firewalls and Intrusion Detection Systems

9/26/2001Godavari Thesis Proposal SSL Proxy1 The Design and Implementation of a SSL Proxy for Content Switch Thesis Proposal by Ganesh Kumar Godavari Department.

Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs.

Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science.

Security Awareness: Applying Practical Security in Your World

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

ChowSCID1 Secure Collective Internet Defense (SCID) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

Multipath Routing: Proxy Selection By Joseph A LaConte CS 591 – Semester Project December 07, 2005.

1 Pfleeger Visit 4/13/2004 UCCS Network/System Security C. Edward Chow Xiaobo Joe Zhou Yu Cai Ganesh Godavari Department of Computer Science University.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Proposal Master of Software Engineering University of Colorado, Colorado Springs.

NPCSlli 1 DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr.

Wi-Fi Structures.

Secure Collective Internet Defense (SCID) Yu Cai 05/30/2003

Using Multiple Gateways to Foil DDOS Attack by David Wilkinson.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

ChowSCOLD1 Secure Collective Internet Defense (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

The Design and Implementation of a SSL Proxy For Content Switch Thesis Proposal by Ganesh Kumar Godavari Department of Computer Science Univ. of Colorado.

1 DACAManet Proposer’s Workshop UCCS-Raytheon Terry Boult C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs Leland.

1 Security Research 2/7/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of.

Autonomous Anti-DDoS Network V2.0 (A2D2-2) Sarah Jelinek University Of Colorado, Colo. Spgs. Spring Semester 2003, CS691 Project.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

FIREWALL Mạng máy tính nâng cao-V1.

1 Security Research 1/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Firewalls A note on the use of these ppt slides:

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004 CHEP 2004, Interlaken The Security Protection System at.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department INTRODUCTION TO COMPUTER NETWORKS Dr. Abdelhamid.

Networking Components Daniel Rosser LTEC Network Hub It is very difficult to find Hubs anymore Hubs sends data from one computer to all other computers.

1 ITS-ZeeWave Meeting 2/26/2004 UCCS Chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department.

Distributed Denial of Service Attacks

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.

Outline of the Talk UCCS CS Programs/Network Security Lab Brief Overview of Distributed Denial of Services (DDoS) Intrusion Tolerance with Multipath Routing.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.

C. Edward Chow Department of Computer Science

Xenia Mountrouidou (Dr. X)

Security Related Research Projects at UCCS Network Research Lab

Presentation transcript:

1 Cybersecurity Symposium 9/19/2003 chow C. Edward Chow Yu Cai Dave Wilkinson Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Yu Cai Dave Wilkinson Department of Computer Science University of Colorado at Colorado Springs SCOLD: Secure Collective Internet Defense A NISSC Sponsored Project Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F It was sponsored by a NISSC Summer 2002 grant.

2 Cybersecurity Symposium 9/19/2003 chow Outline of the Talk Network security related research projects at UCCS Network/Protocol Research Lab Secure Collective Internet Defense, the idea. How should we pursue it? Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm SCOLDv0.1 implementation and testbed Secure DNS update with indirect routing entries Indirect routing protocol based on IP tunnel Performance Evaluation of SCOLDv0.1 Conclusion and Future Directions Network security related research projects at UCCS Network/Protocol Research Lab Secure Collective Internet Defense, the idea. How should we pursue it? Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm SCOLDv0.1 implementation and testbed Secure DNS update with indirect routing entries Indirect routing protocol based on IP tunnel Performance Evaluation of SCOLDv0.1 Conclusion and Future Directions

3 Cybersecurity Symposium 9/19/2003 chow New UCCS IA Degree/Certificate Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, ) Certificate in Information Assurance It includes four courses: Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, ) Certificate in Information Assurance It includes four courses: Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design

4 Cybersecurity Symposium 9/19/2003 chow UCCS Network/System Research Lab Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS pm, open to public Network System Research Seminar New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students: John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents) Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; Wireless Sensor Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI. Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS pm, open to public Network System Research Seminar New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students: John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents) Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; Wireless Sensor Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI.

5 Cybersecurity Symposium 9/19/2003 chow UCCS Network Lab Setup Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP: 8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both a and b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs: 8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs ( Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000 * Equipment donated by Intel Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP: 8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both a and b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs: 8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs ( Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000 * Equipment donated by Intel

6 Cybersecurity Symposium 9/19/2003 chow DDoS: Distributed Denial of Service Attack DDoS Victims: Yahoo/Amazon 2000 CERT 5/2001 DNS Root Servers 10/2002 DDoS Tools: Stacheldraht Trinoo Tribal Flood Network (TFN) Research by Moore et al of University of California at San Diego, ,805 DoS in 3-week period Most of them are Home, small to medium sized organizations

7 Cybersecurity Symposium 9/19/2003 chow Secure Collective Internet Defense Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense? Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate) Report/exchange spam info  not good (spambayes, spamassasin, firewall, remove.org) Report attack (to your admin or FBI?)  not good IP Traceback  difficult to negotiate even the use of one bit in IP header Push back attack  slow call to upstream ISP hard to find IDIP spec! Form consortium and help each other during attacks  almost non-existent Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense? Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate) Report/exchange spam info  not good (spambayes, spamassasin, firewall, remove.org) Report attack (to your admin or FBI?)  not good IP Traceback  difficult to negotiate even the use of one bit in IP header Push back attack  slow call to upstream ISP hard to find IDIP spec! Form consortium and help each other during attacks  almost non-existent

8 Cybersecurity Symposium 9/19/2003 chow Intrusion Related Research Areas Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire; Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire; Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance

9 Cybersecurity Symposium 9/19/2003 chow Wouldn’t it be Nice to Have Alternate Routes? DNS1... Victim AAAAAAAA net-a.comnet-b.comnet-c.com DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic How to reroute clients traffic through R1-R3? Multi-homing

10 Cybersecurity Symposium 9/19/2003 chow Secure Collective Defense Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Secure DNS extension Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers?  may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?  Use Sock protocol, modify resolver library Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Secure DNS extension Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers?  may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?  Use Sock protocol, modify resolver library

11 Cybersecurity Symposium 9/19/2003 chow Implement Alternate Routes DNS1... Victim AAAAAAAA net-a.comnet-b.comnet-c.com DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic Need to Inform Clients or Client DNS servers! But how to tell which Clients are not compromised? How to hide IP addresses of Alternate Gateways?

12 Cybersecurity Symposium 9/19/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Reroute Coordinator Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator block

13 Cybersecurity Symposium 9/19/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS

14 Cybersecurity Symposium 9/19/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 Attack Traffic Client Traffic Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block

15 Cybersecurity Symposium 9/19/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... R Proxy1 Proxy2 Proxy3 R1 Attack Traffic Client Traffic Reroute Coordinator 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block 4a. Attack traffic detected by IDS block by Firewall 4. Attack traffic detected by IDS block by Firewall RR R3 R2R2

16 Cybersecurity Symposium 9/19/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R 1.distress call Proxy1 Proxy2 Proxy3 4a. Attack traffic detected by IDS block by Firewall R2R2 R1 R3 block 3. New route via Proxy2 to R2 Reroute Coordinator Attack Traffic Client Traffic 3. New route via Proxy3 to R3 4. Attack traffic detected by IDS block by Firewall 4b. Client traffic comes in via alternate route 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) 3. New route via Proxy1 to R1

17 Cybersecurity Symposium 9/19/2003 chow SCOLD Secure DNS Update with New Indirect DNS Entries (target.targetnet.com, , ALT A set of alternate proxy servers for indirect routes New Indirect DNS Entries: Modified Bind9 Modified Client Resolve Library

18 Cybersecurity Symposium 9/19/2003 chow SCOLD Indirect Routing IP tunnel

19 Cybersecurity Symposium 9/19/2003 chow SCOLD Indirect Routing with Client running SCOLD client daemon IP tunnel

20 Cybersecurity Symposium 9/19/2003 chow Performance of SCOLD v0.1 Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) No DDoS attack direct route DDoS attack direct route No DDoS attack indirect route DDoS attack indirect route 0.49 ms225 ms0.65 ms

21 Cybersecurity Symposium 9/19/2003 chow A2D2 Multi-Level Adaptive Rate Limiting For Anti-DDos Defense

22 Cybersecurity Symposium 9/19/2003 chow Future Directions Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels. Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium. We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool. The network status information collected and analyzed by the MIND can be used for selecting proxy server sites. Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem. SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND. Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels. Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium. We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool. The network status information collected and analyzed by the MIND can be used for selecting proxy server sites. Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem. SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND.

23 Cybersecurity Symposium 9/19/2003 chow Conclusion Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities. SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in through a set of proxy servers and alternate gateways. Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers. Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities. SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in through a set of proxy servers and alternate gateways. Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers.