DDoS mitigation

About: DDoS mitigation is a research topic. Over the lifetime, 237 publications have been published within this topic receiving 8082 citations.

DDoS Prevention: Review and Issues

Abstract: Networks connected to the Internet are always susceptible to distributed denial-of-service (DDoS) attacks. In spite of a lot of different DDoS defense mechanisms in place, DDoS attacks still happen. These mechanisms fall under the category of DDoS detection, DDoS mitigation, and DDoS prevention. Although DDoS detection and mitigation are well defined and understood terms, DDoS prevention is used with different meanings in the literature. Concerning reflection-based DDoS amplification attacks, in this paper, we define ideal prevention and true prevention. Former is an ideal situation in which primarily the security of all the Internet hosts is well up to the mark and does not allow them to become participating members of DDoS attacks, whereas later is a practically feasible situation in which the network itself can prevent and mitigate DDoS attack within some fixed time interval. We also provide the literature review of DDoS prevention techniques and argue that the ones which conform to the definition of ideal prevention or true prevention are either not dynamic, are computationally expensive, or not scalable; thus, practically not feasible.

A Risk Transfer Based DDoS Mitigation Framework for Cloud Environment

Abstract: The impact of Cloud computing on the current information technology infrastructure has undeniably lead to a paradigm shift. The software, Platform and Infrastructure services offered by Cloud computing has been widely adopted by industries and academia alike. Protecting the core architecture of Cloud computing environment against the wake of Distributed Denial of Service attacks is necessary. Any disruptions in Cloud services reduce availability causing losses to the organizations involved. Firms lose revenue and customers loose trust on Cloud providers. This paper discusses a risk transfer based approach to handle such attacks in Cloud environment employing Fog nodes. Fog nodes work in tandem with Autonomous systems possessing unused bandwidth which can be leveraged by the Cloud during an attack. The burden of protection is partially transferred to willing third parties. Such a proactive conceptual defensive framework has been proposed in this paper.

Commoditising DDoS mitigation

Abstract: Current practices in network security deployment require multiple specialised devices as firewalls, traffic shapers, sensors or Intrusion Detection Systems (IDSs) to handle malicious traffic. This practice not only increases the overall operational costs but also makes network administration complicated. The high cost of Distributed Denial of Service (DDoS) mitigation devices empowers centralised services and network architectures as there is not a cost-effective model to deploy them at the “true edge” of the network. This paper describes the design and implementation of a multi-10 Gbit extensible network traffic analysis and policing system. It is composed of logical detection and enforcement functions built from reusable underlying primitives. As an example of such modular approach, we present an innovative DDoS scrubbing system composed of various attack detection primitives, combined with enforcement primitives that include traffic filtering, rate limiting, and proxying. Based on commodity hardware and open source software, such system is price, space, and power efficient enough to be practically deployable at the edge of the network. Performance measurements carried on 10Gbit networks, show that it can effectively provide both traffic visibility and enforcement of a wide range of network traffic policies.

A Real-Time (on Premise) Baseline Based DDoS Mitigation Scheme in a Hybrid Cloud

Abstract: Uninterrupted services are the most important factor for building customers trust towards a particular service providers, Distributed denial of service attacks are major threats towards disrupting the customer base for these service providers. Increasing sophistication of these attacks make them stealthier to evade existing perimeter security mechanisms. Hence, there is a need to design a dedicated mechanism to counter these attacks. In this paper we present a real time mitigation approach for DDoS attacks in a hybrid cloud. This approach utilizes a real time hybrid cloud test bed environment implemented with both intrusion detection system (IDS) and intrusion prevention system (IPS) components for result analysis and is utilized to mitigate signature based attacks at layers 3, 4 and 7 of TCP/IP network model. To implement this approach various stages to mitigate these attacks are considered. The results obtained have 100 % detection accuracy in all the scenarios considered.