Secure Double-Layered Defense against HTTP-DDoS Attacks

A major cyber-security concern to date for webservers are Distributed Denial of Service (DDoS) attacks. Previously we proposed a novel overlay-based method consisting of distributed network of public servers (PS) for preparation, and access nodes (AN) for actual communication. The AN's performance is evaluated under difficult to detect HTTP(S)-DDoS attacks. Yet, attackers may attempt service denial by attacking the PS instead. The focus in this paper is on mitigating complex slow-requesting HTTP-DDoS attacks that target the PS. A proof-of-concept prototype is implemented with simplified countermeasures and tested. We report on the results of two experiments. Results suggest that the simple PS role can enable high mitigation factors of both high-rate and low-rate attack traffic per source, even with 10,000 unique attack sources per target PS, acting as a second layer of defense with the AN. Yet, with a cost of longer time to load the requested resource file in comparison to direct access.

[1]  Kijoon Chae,et al.  Multi-defense Mechanism against DDoS in SDN Based CDNi , 2014, 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[2]  Michael P. Wellman,et al.  Moving Target Defense against DDoS Attacks: An Empirical Game-Theoretic Analysis , 2016, MTD@CCS.

[3]  Hitoshi Aida,et al.  Trustworthy DDoS Defense: Design, Proof of Concept Implementation and Testing , 2017, IEICE Trans. Inf. Syst..

[4]  Hitoshi Aida,et al.  Securely Hiding the Real Servers from DDoS Floods , 2010, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet.

[5]  Kai Chen,et al.  Optimal Defense Strategies for DDoS Defender Using Bayesian Game Model , 2013, ISPEC.

[6]  A. Nur Zincir-Heywood,et al.  Investigating unique flow marking for tracing back DDoS attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[7]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[8]  Amir Herzberg,et al.  CDN-on-Demand: An affordable DDoS Defense via Untrusted Clouds , 2016, NDSS.

[9]  Wanlei Zhou,et al.  Detection and defense of application-layer DDoS attacks in backbone web traffic , 2014, Future Gener. Comput. Syst..

[10]  Maitreya Natu,et al.  Distributed and Predictive-Preventive Defense Against DDoS Attacks , 2015, ICDCN.

[11]  Lu Zhou,et al.  DDoS attack detection using packet size interval , 2015 .

[12]  Terry V. Benzel The science of cyber security experimentation: the DETER project , 2011, ACSAC '11.

[13]  Harkeerat Singh Bedi,et al.  ADAPT: A Game Inspired Attack-Defense and Performance Metric Taxonomy , 2013, SEC.

[14]  Geert Deconinck,et al.  ConnectionScore: a statistical technique to resist application-layer DDoS attacks , 2014, J. Ambient Intell. Humaniz. Comput..

[15]  S. Selvakumar,et al.  Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems , 2013, Comput. Commun..

[16]  Peter Reiher,et al.  Drawbridge: software-defined DDoS-resistant traffic engineering , 2015, SIGCOMM 2015.

[17]  Zakaria Al-Qudah,et al.  DDoS protection as a service: hiding behind the giants , 2014, Int. J. Comput. Sci. Eng..

[18]  Vivek Nigam,et al.  A Selective Defense for Application Layer DDoS Attacks , 2014, 2014 IEEE Joint Intelligence and Security Informatics Conference.

[19]  Theodore Tryfonas,et al.  A game theoretic defence framework against DoS/DDoS cyber attacks , 2013, Comput. Secur..