DDoS mitigation

About: DDoS mitigation is a research topic. Over the lifetime, 237 publications have been published within this topic receiving 8082 citations.

Signature-Based DDoS Attack Mitigation: Automated Generating Rules for Extended Berkeley Packet Filter and Express Data Path

Abstract: Distributed Denial of Service (DDoS) attacks are malicious attempts to disrupt a service from the target by overwhelming it by network packets. DDoS attacks are continuously rising in size and diversity. In 2018, Netscout reported a peak of 1.7 Tbps in size [1] and Akamai’s annual report of 2018 [2] states that those spikes are still growing with an increasing growth curve. As an example from the beginning of 2018, with the new memcached attacks, attackers are still finding new ways to perform DDoS attacks. Cloudflare is one of the biggest vendors on the market providing solutions the defend against DDoS attacks. Their defending methods include the filtering of malicious packets by generated rules from attack signatures. The extended Berkeley Packet Filter (eBPF) and eXpress Data Path (XDP) form an important part in those defending methods. With the ability to filter packets at a very high speed, eBPF and XDP prove in existing solutions that it can perform in the fight against DDoS attacks. With eBPF and XDP, malicious packets can be dropped based on rules specified inside the eBPF program. Studies show that eBPF and XDP are tools that are able to drop packets at higher rates than former tools. However those studies only show this with plain packets and not in the case of an actual DDoS attack. Altough eBPF and XDP are open-source, the tools can not directly be used to mitigate DDoS attacks. In practice a network operator has to know how to use this tools and what the implication of different scenarios can be. Therefore, the overall goal of this study is to research how to use eBPF and XDP to mitigate DDoS attacks and to research how effective the tools can be. A DDoS mitigation system is proposed in this study with the use of eBPF and XDP. With this system a network operator is able to drop packets up to a 100% accuracy when deep packet layers are considered. The XDP filter allows higher packet processing speeds than an Iptables filter with the same rules. The contribution of this study is two-fold. It adds new scientific findings on which new studies can build upon and the study can be put in practice by network operators in real network environments.

Balancing Performance Characteristics of Hierarchical Heavy Hitters

Abstract: Hierarchical Heavy Hitters (HHHs) identify frequent items in streaming data. Finding these items has several applications to network monitoring, particularly in distributed denial-of-service (DDoS) mitigation and anomaly detection. Several algorithms are available to compute HHHs, each with different performance characteristics in terms of resource consumption, speed and accuracy. These characteristics determine which HHH algorithm may be best suited for a given network situation (e.g., because it offers sufficient accuracy for fine-grained traffic analysis). However, since the situation can evolve over time, the best choice for an HHH algorithm may also change. Simply replacing a chosen HHH algorithm has the drawback of losing all previously acquired monitoring information. This paper introduces the novel concept of HHH-transitions that transfer monitoring information between HHH variants and consequently allows it to adopt new performance characteristics by switching algorithms at runtime. For example, this enables a DDoS mitigation system to adapt to evolving network situations and therefore increase overall Return-on-Mitigation. We present explicit transition rules for common one-dimensional HHH variants and evaluate our approach based on real traffic from MAWILab. Results indicate that trade-offs between performance characteristics can be realized at runtime and that it is possible to increase overall post-transition accuracy by retaining monitoring information.

Optical mitigation of DDoS attacks using silicon photonic switches

Abstract: In this paper, we demonstrate the integration of a SiP switching platform to improve real-world Distributed Denial of Service (DDoS) defense systems. We demonstrate how DDoS mitigation in the optical domain can be transparent to network and application layers, allowing for reconfiguration and tuning. Additionally, we show how optical domain DoS mitigation provides significant cost reduction-with a 1/3 cost reduction-compared to traditional mitigation using electronic counterparts. Our approach is ideal for data-center deployments, and our testbed topology mirrors a standard data center set up.

Tutorial 3: Infrastructure Protection from Distributed Denial of Service Attacks

Abstract: With BotNets proliferating around the world exponentially, Internet infrastructure which includes e-commerce infrastructure, financial infrastructure, critical infrastructure, national infrastructure, etc. can be easily overwhelmed by distributed denial of service (DDoS) attacks. Worms of Mass Destruction are used by criminals to spread terror and to destabilize infrastructure. With increasing dependence on Internet infrastructure for banking, e-commerce, telecom, utilities, and national security, it is therefore imperative that system architects understand the new threats and understand the mitigation tools and techniques available. This tutorial will explain the extent of the problem, the tools used by the attackers, and problems with using routers, switches, firewalls and intrusion prevention systems to mitigate DDoS attacks. This will be followed by a survey of specialized DDoS mitigation tools and techniques and their benefits in a vendor neutral manner. Current research in top universities centered on this area will be discussed along with trends in the attack patterns. To conclude, future research directions will be discussed so that the attendees get a complete picture.