In this paper, we present the design and implementation of the Secure
COLlective Defense (SCOLD) system against DDoS attacks. The key idea of SCOLD
is to follow intrusion tolerance paradigm and provide alternate routes via a
set of proxy servers and alternate gateways when the normal route is
unavailable or unstable due to network failures, congestions, or DDoS attacks.
The BIND9 DNS server and its DNS update utilities were enhanced to support new
DNS entries with indirect routing information. Protocol software for
supporting the establishment of secure indirect routes based on the new DNS
entries was developed for Linux systems. Performance results from a network
testbed show that SCOLD can improve the network security, availability and
performance. Preliminary simulation results of a SCOLD system using NS2
indicate that its performance is scalable with respect to the indirect route
initial setup overhead and processing overhead.