Elimination of DoS UDP Reflection Amplification Bandwidth Attacks, Protecting TCP Services

In this paper, we propose a solution to eliminate a popular type of Denial of Service (DoS) attack, which is a DoS amplification attack. Note that a DoS is a subset of DDoS. Our solution protects servers running any number of TCP services. This paper is focused on the most popular type of DoS amplification attack, which uses the UDP protocol. Via DoS UDP amplification attacks, an attacker can send a 1 Gbps traffic stream to reflectors. The reflectors will then send up 556 times that amount (amplified traffic) to the victim’s server. So just ten PCs, each sending 10 Mbps, can send 55 Gbps indirectly, via reflectors, to a victim’s server. Very few ISP customers have 55 Gpbs provisioned. Expensive and complex solutions exist. However our elimination techniques can be implemented very quickly, easily and at an extremely low cost.

[1]  Amir Herzberg,et al.  Bandwidth Distributed Denial of Service: Attacks and Defenses , 2014, IEEE Security & Privacy.

[2]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[3]  Jugal K. Kalita,et al.  An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection , 2015, Pattern Recognit. Lett..

[4]  Bharat Bhargava,et al.  Monitoring and Managing Cloud Computing Security using Denial of Service Bandwidth Allowance , 2013 .

[5]  P. Varalakshmi,et al.  Thwarting DDoS attacks in grid using information divergence , 2013, Future Gener. Comput. Syst..

[6]  Wei Wei,et al.  A Rank Correlation Based Detection against Distributed Reflection DoS Attacks , 2013, IEEE Communications Letters.

[7]  C. Chellappan,et al.  A Pioneer Scheme in the Detection and Defense of DrDoS Attack Involving Spoofed Flooding Packets , 2014, KSII Trans. Internet Inf. Syst..

[8]  Hyong S. Kim,et al.  Estimation of the available bandwidth ratio of a remote link or path segments , 2013, Comput. Networks.

[9]  Ning Lu,et al.  Filtering location optimization for the reactive packet filtering , 2014, Secur. Commun. Networks.

[10]  Chu-Hsing Lin,et al.  Preserving quality of service for normal users against DDoS attacks by using Double Check Priority Queues , 2013, J. Ambient Intell. Humaniz. Comput..

[11]  S. Mercy Shalinie,et al.  Autonomous Agent for DDoS Attack Detection and Defense in an Experimental Testbed , 2014 .