Topic
DDoS mitigation
About: DDoS mitigation is a research topic. Over the lifetime, 237 publications have been published within this topic receiving 8082 citations.
Papers published on a yearly basis
Papers
More filters
•
01 Jan 2019
TL;DR: In this paper, the authors proposed a DDoS mitigation system with the use of eBPF and XDP, which can be used to defend against DDoS attacks in real network environments.
Abstract: Distributed Denial of Service (DDoS) attacks are malicious attempts to disrupt a
service from the target by overwhelming it by network packets. DDoS attacks are
continuously rising in size and diversity. In 2018, Netscout reported a peak of 1.7
Tbps in size [1] and Akamai’s annual report of 2018 [2] states that those spikes are
still growing with an increasing growth curve. As an example from the beginning
of 2018, with the new memcached attacks, attackers are still finding new ways to
perform DDoS attacks. Cloudflare is one of the biggest vendors on the market providing
solutions the defend against DDoS attacks. Their defending methods include
the filtering of malicious packets by generated rules from attack signatures. The
extended Berkeley Packet Filter (eBPF) and eXpress Data Path (XDP) form an important
part in those defending methods. With the ability to filter packets at a very
high speed, eBPF and XDP prove in existing solutions that it can perform in the fight
against DDoS attacks. With eBPF and XDP, malicious packets can be dropped based
on rules specified inside the eBPF program. Studies show that eBPF and XDP are
tools that are able to drop packets at higher rates than former tools. However those
studies only show this with plain packets and not in the case of an actual DDoS attack.
Altough eBPF and XDP are open-source, the tools can not directly be used to
mitigate DDoS attacks. In practice a network operator has to know how to use this
tools and what the implication of different scenarios can be. Therefore, the overall
goal of this study is to research how to use eBPF and XDP to mitigate DDoS attacks
and to research how effective the tools can be. A DDoS mitigation system is
proposed in this study with the use of eBPF and XDP. With this system a network
operator is able to drop packets up to a 100% accuracy when deep packet layers are
considered. The XDP filter allows higher packet processing speeds than an Iptables
filter with the same rules. The contribution of this study is two-fold. It adds new
scientific findings on which new studies can build upon and the study can be put in
practice by network operators in real network environments.
1 citations
••
TL;DR: Too few organisations are taking note of the multiple warnings in the media and from the security industry, warns Chris Townsley of CDNetworks.
1 citations
••
20 May 2019TL;DR: Results indicate that trade-offs between performance characteristics can be realized at runtime and that it is possible to increase overall post-transition accuracy by retaining monitoring information.
Abstract: Hierarchical Heavy Hitters (HHHs) identify frequent items in streaming data. Finding these items has several applications to network monitoring, particularly in distributed denial-of-service (DDoS) mitigation and anomaly detection. Several algorithms are available to compute HHHs, each with different performance characteristics in terms of resource consumption, speed and accuracy. These characteristics determine which HHH algorithm may be best suited for a given network situation (e.g., because it offers sufficient accuracy for fine-grained traffic analysis). However, since the situation can evolve over time, the best choice for an HHH algorithm may also change. Simply replacing a chosen HHH algorithm has the drawback of losing all previously acquired monitoring information. This paper introduces the novel concept of HHH-transitions that transfer monitoring information between HHH variants and consequently allows it to adopt new performance characteristics by switching algorithms at runtime. For example, this enables a DDoS mitigation system to adapt to evolving network situations and therefore increase overall Return-on-Mitigation. We present explicit transition rules for common one-dimensional HHH variants and evaluate our approach based on real traffic from MAWILab. Results indicate that trade-offs between performance characteristics can be realized at runtime and that it is possible to increase overall post-transition accuracy by retaining monitoring information.
••
31 Jan 2020TL;DR: This paper demonstrates the integration of a SiP switching platform to improve real-world Distributed Denial of Service (DDoS) defense systems and shows how DDoS mitigation in the optical domain can be transparent to network and application layers, allowing for reconfiguration and tuning.
Abstract: In this paper, we demonstrate the integration of a SiP switching platform to improve real-world Distributed Denial of Service (DDoS) defense systems. We demonstrate how DDoS mitigation in the optical domain can be transparent to network and application layers, allowing for reconfiguration and tuning. Additionally, we show how optical domain DoS mitigation provides significant cost reduction-with a 1/3 cost reduction-compared to traditional mitigation using electronic counterparts. Our approach is ideal for data-center deployments, and our testbed topology mirrors a standard data center set up.
••
18 Dec 2007
TL;DR: This tutorial will explain the extent of the problem, the tools used by the attackers, and problems with using routers, switches, firewalls and intrusion prevention systems to mitigate DDoS attacks.
Abstract: With BotNets proliferating around the world exponentially, Internet infrastructure which includes e-commerce infrastructure, financial infrastructure, critical infrastructure, national infrastructure, etc. can be easily overwhelmed by distributed denial of service (DDoS) attacks. Worms of Mass Destruction are used by criminals to spread terror and to destabilize infrastructure. With increasing dependence on Internet infrastructure for banking, e-commerce, telecom, utilities, and national security, it is therefore imperative that system architects understand the new threats and understand the mitigation tools and techniques available. This tutorial will explain the extent of the problem, the tools used by the attackers, and problems with using routers, switches, firewalls and intrusion prevention systems to mitigate DDoS attacks. This will be followed by a survey of specialized DDoS mitigation tools and techniques and their benefits in a vendor neutral manner. Current research in top universities centered on this area will be discussed along with trends in the attack patterns. To conclude, future research directions will be discussed so that the attendees get a complete picture.