A moving target defense approach to mitigate DDoS attacks against proxy-based architectures

Distributed Denial of Service attacks against high-profile targets have become more frequent in recent years. In response to such massive attacks, several architectures have adopted proxies to introduce layers of indirection between end users and target services and reduce the impact of a DDoS attack by migrating users to new proxies and shuffling clients across proxies so as to isolate malicious clients. However, the reactive nature of these solutions presents weaknesses that we leveraged to develop a new attack - the proxy harvesting attack - which enables malicious clients to collect information about a large number of proxies before launching a DDoS attack. We show that current solutions are vulnerable to this attack, and propose a moving target defense technique consisting in periodically and proactively replacing one or more proxies and remapping clients to proxies. Our primary goal is to disrupt the attacker's reconnaissance effort. Additionally, to mitigate ongoing attacks, we propose a new client-to-proxy assignment strategy to isolate compromised clients, thereby reducing the impact of attacks. We validate our approach both theoretically and through simulation, and show that the proposed solution can effectively limit the number of proxies an attacker can discover and isolate malicious clients.

[1]  Fei Li,et al.  A moving target DDoS defense mechanism , 2014, Comput. Commun..

[2]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[3]  Stelvio Cimato,et al.  Encyclopedia of Cryptography and Security , 2005 .

[4]  Amir Herzberg,et al.  Bandwidth Distributed Denial of Service: Attacks and Defenses , 2014, IEEE Security & Privacy.

[5]  Aziz Mohaisen,et al.  Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[6]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[7]  Angelos D. Keromytis,et al.  MOVE: An End-to-End Solution to Network Denial of Service , 2005, NDSS.

[8]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[9]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[10]  Amir Herzberg,et al.  DNS authentication as a service: preventing amplification attacks , 2014, ACSAC '14.

[11]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[12]  Philippe Flajolet,et al.  An introduction to the analysis of algorithms , 1995 .

[13]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[14]  Sushil Jajodia,et al.  Moving Target Defense II: Application of Game Theory and Adversarial Modeling , 2012 .

[15]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[16]  Angelos Stavrou,et al.  Overlay-Based DoS Defenses , 2011, Encyclopedia of Cryptography and Security.

[17]  David G. Andersen Mayday: Distributed Filtering for Internet Services , 2003, USENIX Symposium on Internet Technologies and Systems.

[18]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[19]  P. R. Freeman,et al.  Sequential estimation of the size of a population , 1972 .

[20]  Ieee Staff,et al.  2013 IEEE Conference on Communications and Network Security (CNS) , 2013 .

[21]  Christopher N. Gutierrez,et al.  Denial of Service Elusion (DoSE): Keeping Clients Connected for Less , 2015, 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS).