Denial of Service Elusion (DoSE): Keeping Clients Connected for Less

Denial of Service (DoS) attacks continue to grow in magnitude, duration, and frequency increasing the demand for techniques to protect services from disruption, especially at a low cost. We present Denial of Service Elusion (DoSE) as an inexpensive method for mitigating network layer attacks by utilizing cloud infrastructure and content delivery networks to protect services from disruption. DoSE uses these services to create a relay network between the client and the protected service that evades attack by selectively releasing IP address information. DoSE incorporates client reputation as a function of prior behavior to stop attackers along with a feedback controller to limit costs. We evaluate DoSE by modeling relays, clients, and attackers in an agent-based MATLAB simulator. The results show DoSE can mitigate a single-insider attack on 1,000 legitimate clients in 3.9 minutes while satisfying an average of 88.2% of requests during the attack.

[1]  S. Agarwal,et al.  DDoS Mitigation via Regional Cleaning Centers , 2003 .

[2]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[3]  Michael Rabinovich,et al.  Measuring a commercial content delivery network , 2011, WWW.

[4]  Michael Walfish,et al.  DDoS defense by offense , 2006, SIGCOMM 2006.

[5]  Georgios Loukas,et al.  Protection Against Denial of Service Attacks: A Survey , 2010, Comput. J..

[6]  Daniel Massey,et al.  Epiphany: A location hiding architecture for protecting critical services from DDoS attacks , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[7]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[8]  Ramesh K. Sitaraman,et al.  The Akamai network: a platform for high-performance internet applications , 2010, OPSR.

[9]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[10]  Angelos D. Keromytis,et al.  Countering DoS attacks with stateless multipath overlays , 2005, CCS '05.

[11]  Sonia Fahmy,et al.  Towards user-centric metrics for denial-of-service measurement , 2007, ExpCS '07.

[12]  Angelos Stavrou,et al.  MOTAG: Moving Target Defense against Internet Denial of Service Attacks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[13]  Sonia Fahmy,et al.  How to Test DoS Defenses , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[14]  Sonia Fahmy,et al.  Accurately Measuring Denial of Service in Simulation and Testbed Experiments , 2009, IEEE Transactions on Dependable and Secure Computing.

[15]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .