DefCOM is protected against insider and outsider attacks and it is rubust against message losses.

1. Security against outsider threats.

• Malicious Nodes cannot become a part of DefCOM overlay,
  • Each DEFJOIN and DEFREPLY message to carry a valid certificate vouching for the joining node’s reputation. These certificates could be issued through some global certification authority, or current DefCOM nodes could vouch for the security of a new node.
  • Every forwarded message (such as ALRM and ATTCKCONT), is atttach with the node's signature to, so that its peers can verify message authenticity. Messages are infrequent, so the price of public-key cryptography is not large. Messages are encrypted by a key shared between peers to preserve confidentiality, and bear a sequence number to prevent replay attacks.
• DoS attack on a DefCOM node by flooding it with bogus messages and forcing it to pay the price for cryptographic verification.
  • DefCOM node limits the rate of DEFJOIN and DEFREPLY messages it is willing to handle. It checks the stamp on all other control messages and only decrypts messages that have a correct peer stamp. Nodes change stamps frequently (currently every 5 seconds) to defeat this attack.

2. Security against insider threats

• Fabricating DEFJOIN and DEFREPLY messages for routes where no traffic flows.
  • Rate limiting the amount of messages a node is willing to receive from each peer. The node first verifies a peer stamp, which is an inexpensive operation, and then it rejects a message if the peer’s rate limit is exceeded.
• Lying about the attack.
  • DefCOM alert generators possess an authorization to issue alerts for a given victim.
• Stamping all traffic as legitimate.
  • Non-aggressive checks and reclassification limits the threat.

3. Robustness to message loss

• Each control message is acknowledged by the recipient. Unacknowledged messages are repeated after T_rto seconds (currently T_rto = 2).