Net-Police: A network patrolling service for effective mitigation of volumetric DDoS attacks

Abstract Volumetric Distributed Denial of Service (DDoS) attacks are a significant concern for information technology-based organizations. These attacks result in significant revenue losses in terms of wastage of resources and unavailability of services at the victim (e.g., business websites, DNS servers, etc.) as well as the Internet Service Providers (ISPs) along the path of the attack. The state-of-the-art DDoS mitigation mechanisms attempt to alleviate the losses at either the victim or the ISPs, but not both. In this paper, we present Net-Police, which is a traffic patrolling system for DDoS mitigation. Net-Police identifies the sources of attack so that filters can be employed at these sources in order to quickly mitigate the attack. Such a solution effectively prevents the flow of malicious traffic across the ISP networks, thereby benefiting the ISPs also. Net-Police patrols the network by designating a small number of routers as dynamic packet taggers, to prune benign regions in the network, and localize the search to the Autonomous Systems (AS) from which the attack originates. We evaluate the proposed solution on 257 real-world topologies from the Internet Topology Zoo library and the Internet AS level topology. The paper also presents details of our hardware test-bed platform consisting of 30 routers on which network services such as Net-Police can be implemented and studied for on-field feasibility. Our experiments reveal that Net-Police performs better than the state-of-the-art cloud-based and traceback-based solutions in terms of ISP bandwidth savings and availability of the victim to legitimate clients.

[1]  Minyi Guo,et al.  A Feasible IP Traceback Framework through Dynamic Deterministic Packet Marking , 2016, IEEE Transactions on Computers.

[2]  Steven J. Templeton,et al.  Detecting spoofed packets , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[3]  Jung-Min Park,et al.  Attack diagnosis: throttling distributed denial-of-service attacks close to the attack sources , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[4]  Kamil Saraç,et al.  Toward a Practical Packet Marking Approach for IP Traceback , 2009, Int. J. Netw. Secur..

[5]  Matthew Roughan,et al.  The Internet Topology Zoo , 2011, IEEE Journal on Selected Areas in Communications.

[6]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.

[7]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[8]  Sean Newman,et al.  Service providers: the gatekeepers of Internet security , 2017, Netw. Secur..

[9]  Gopal Dommety,et al.  Key and Sequence Number Extensions to GRE , 2000, RFC.

[10]  U. Brandes A faster algorithm for betweenness centrality , 2001 .

[11]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[12]  Edjard de Souza Mota,et al.  A Survey on Approaches to Reduce BGP Interdomain Routing Convergence Delay on the Internet , 2017, IEEE Commun. Surv. Tutorials.

[13]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[14]  A. Nur Zincir-Heywood,et al.  Deterministic and Authenticated Flow Marking for IP Traceback , 2013, 2013 IEEE 27th International Conference on Advanced Information Networking and Applications (AINA).

[15]  Anja Feldmann,et al.  Inferring BGP blackholing activity in the internet , 2017, Internet Measurement Conference.

[16]  Aziz Mohaisen,et al.  POSTER: How Distributed Are Today's DDoS Attacks? , 2014, CCS.

[17]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[18]  Yih-Chun Hu,et al.  MiddlePolice: Toward Enforcing Destination-Defined Policies in the Middle of the Internet , 2016, CCS.

[19]  Ying Zhang,et al.  SENSS Against Volumetric DDoS Attacks , 2018, ACSAC.

[20]  Dinil Mon Divakaran,et al.  Opportunistic Piggyback Marking for IP Traceback , 2016, IEEE Transactions on Information Forensics and Security.

[21]  Jaudelice Cavalcante de Oliveira,et al.  Decoupling Policy from Routing with Software Defined Interdomain Management: Interdomain Routing for SDN-Based Networks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[22]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[23]  Shyhtsun Felix Wu,et al.  Malicious packet dropping: how it might impact the TCP performance and how we can detect it , 2000, Proceedings 2000 International Conference on Network Protocols.

[24]  Dinil Mon Divakaran,et al.  Privacy preserving IP traceback , 2018, 2018 IEEE 4th International Conference on Identity, Security, and Behavior Analysis (ISBA).

[25]  Georgios Kambourakis,et al.  DNS amplification attack revisited , 2013, Comput. Secur..

[26]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[27]  Paramvir Singh,et al.  A systematic review of IP traceback schemes for denial of service attacks , 2016, Comput. Secur..

[28]  Olivier Festor,et al.  Anomaly traceback using software defined networking , 2014, 2014 IEEE International Workshop on Information Forensics and Security (WIFS).

[29]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[30]  Walter Willinger,et al.  A Survey of Techniques for Internet Topology Discovery , 2015, IEEE Communications Surveys & Tutorials.

[31]  Steve Mansfield-Devine,et al.  DDoS goes mainstream: how headline-grabbing attacks could make this threat an organisation's biggest nightmare , 2016, Netw. Secur..

[32]  Minas Gjoka,et al.  A Network Coding Approach to IP Traceback , 2010, 2010 IEEE International Symposium on Network Coding (NetCod).

[33]  Peter Phaal,et al.  InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks , 2001, RFC.

[34]  Robert Nowak,et al.  Network Tomography: Recent Developments , 2004 .

[35]  A. Nur Zincir-Heywood,et al.  TDFA: Traceback-Based Defense against DDoS Flooding Attacks , 2014, 2014 IEEE 28th International Conference on Advanced Information Networking and Applications.

[36]  Chris Metz,et al.  Transition from IPv4 to IPv6: A State-of-the-Art Survey , 2013, IEEE Communications Surveys & Tutorials.