DeDoS: Defusing DoS with Dispersion Oriented Software

This paper presents DeDoS, a novel platform for mitigating asymmetric DoS attacks. These attacks are particularly challenging since even attackers with limited resources can exhaust the resources of well-provisioned servers. DeDoS offers a framework to deploy code in a highly modular fashion. If part of the application stack is experiencing a DoS attack, DeDoS can massively replicate only the affected component, potentially across many machines. This allows scaling of the impacted resource separately from the rest of the application stack, so that resources can be precisely added where needed to combat the attack. Our evaluation results show that DeDoS incurs reasonable overheads in normal operations, and that it significantly outperforms standard replication techniques when defending against a range of asymmetric attacks.

[1]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[2]  Ross J. Anderson,et al.  The XenoService { A Distributed Defeat for Distributed Denial of Service , 2000 .

[3]  David E. Culler,et al.  SEDA: an architecture for well-conditioned, scalable internet services , 2001, SOSP.

[4]  David A. Cieslak,et al.  Using selective, short-term memory to improve resilience against DDoS exhaustion attacks , 2008, Secur. Commun. Networks.

[5]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[6]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[7]  Luiz André Barroso,et al.  The Datacenter as a Computer: An Introduction to the Design of Warehouse-Scale Machines , 2009, The Datacenter as a Computer: An Introduction to the Design of Warehouse-Scale Machines.

[8]  Albert G. Greenberg,et al.  Ananta: cloud scale load balancing , 2013, SIGCOMM.

[9]  Andreas Haeberlen,et al.  A Demonstration of the DeDoS Platform for Defusing Asymmetric DDoS Attacks in Data Centers , 2017, SIGCOMM Posters and Demos.

[10]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[11]  Luiz André Barroso,et al.  The Datacenter as a Computer: An Introduction to the Design of Warehouse-Scale Machines, Second Edition , 2013, The Datacenter as a Computer: An Introduction to the Design of Warehouse-Scale Machines, Second Edition.

[12]  Trent Jaeger,et al.  The SawMill multiserver approach , 2000, EW 9.

[13]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[14]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[15]  Jay Lepreau,et al.  The Flux OSKit: a substrate for kernel and language research , 1997, SOSP.

[16]  Ion Stoica,et al.  Declarative networking , 2009, Commun. ACM.

[17]  Virgil D. Gligor,et al.  CoDef: collaborative defense against large-scale link-flooding attacks , 2013, CoNEXT.

[18]  Andreas Haeberlen,et al.  Dispersing Asymmetric DDoS Attacks with SplitStack , 2016, HotNets.

[19]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[20]  Thomas C. Schmidt,et al.  Amplification and DRDoS Attack Defense - A Survey and New Perspectives , 2015, ArXiv.

[21]  Anirudh Sivaraman,et al.  Encoding, Fast and Slow: Low-Latency Video Processing Using Thousands of Tiny Threads , 2017, NSDI.

[22]  John Pescatore DDoS Attacks Advancing and Enduring : A SANS Survey , 2015 .

[23]  Francisco Servant,et al.  Using Selective Memoization to Defeat Regular Expression Denial of Service (ReDoS) , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[24]  Saikat Guha,et al.  ShutUp: End-to-End Containment of Unwanted Traffic , 2008 .