Toward Mitigation-as-a-Service in Cooperative Network Defenses

Distributed Denial-of-Service (DDoS) attacks are by design highly decentralized and therefore hard to defend against. By utilizing a decentralized, multi-domain, cooperative defense mechanism, it is possible to combine software and hardware capabilities to effortlessly mitigate large scale attacks. Cooperative defense systems face many challenges, such as deployment complexity due to high coordination overhead, reliance on trusted and stable channels for communication and the need for effective incentives to bolster cooperation among all involved parties. In particular, incentives are the key to ensure successful deployment of a "Mitigation-as-a-Service (MaaS)" for cooperative defense systems. This paper discusses the critical issue of providing a proof of the effectiveness of a cooperative defense mitigation, considering four state-of-the-art solutions toward an independently verifiable proof of mitigation. A qualitative analysis of these approaches across 9 dimensions shows that none satisfy all requirements due to the inherent trade-offs between practicability and security. As a result, it is identified that the issue of authenticating the underlying network flows remains unsolved.

[1]  Zdravko Bozakov,et al.  AutoSlice: automated and scalable slicing for software-defined networks , 2012, CoNEXT Student '12.

[2]  Shankar Lal,et al.  Incorporating trust in NFV: Addressing the challenges , 2017, 2017 20th Conference on Innovations in Clouds, Internet and Networks (ICIN).

[3]  Carol J. Fung,et al.  CoFence: A collaborative DDoS defence using network function virtualization , 2016, 2016 12th International Conference on Network and Service Management (CNSM).

[4]  Honggang Zhang,et al.  Network slicing as a service: enabling enterprises' own software-defined cellular networks , 2016, IEEE Communications Magazine.

[5]  Mohan Kumar,et al.  S-NFV: Securing NFV states by using SGX , 2016, SDN-NFV@CODASPY.

[6]  Bruce Schneier,et al.  Cryptographic Support for Secure Logs on Untrusted Machines , 1998, USENIX Security Symposium.

[7]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[8]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[9]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[10]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[11]  Andreas Haeberlen,et al.  Cloud-Based Secure Logger for Medical Devices , 2016, 2016 IEEE First International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE).