MiddlePolice: Toward Enforcing Destination-Defined Policies in the Middle of the Internet

Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destination-based control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.

[1]  Xin Zhang,et al.  SCION: Scalability, Control, and Isolation on Next-Generation Networks , 2011, 2011 IEEE Symposium on Security and Privacy.

[2]  Prateek Mittal,et al.  Mirage: Towards Deployable DDoS Defense for Web Applications , 2011 .

[3]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[4]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[5]  Ramesh K. Sitaraman,et al.  End-User Mapping: Next Generation Request Routing for Content Delivery , 2015, Comput. Commun. Rev..

[6]  Bob Briscoe,et al.  Tunnelling of Explicit Congestion Notification , 2010, RFC.

[7]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[8]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[9]  Dmitri V. Krioukov,et al.  AS relationships: inference and validation , 2006, CCRV.

[10]  Albert K. T. Hui,et al.  Universal DDoS Mitigation Bypass , 2013 .

[11]  Tom Herbert UDP Encapsulation in Linux , 2015 .

[12]  ShenkerScott,et al.  Controlling high bandwidth aggregates in the network , 2002 .

[13]  Michael Walfish,et al.  DDoS defense by offense , 2006, TOCS.

[14]  Thomas E. Anderson,et al.  Phalanx: Withstanding Multimillion-Node Botnets , 2008, NSDI.

[15]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[16]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[17]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[18]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[19]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[20]  Argyraki,et al.  Network Capabilities : The Good , the Bad and the Ugly Katerina , 2022 .

[21]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[22]  Jianping Wu,et al.  When HTTPS Meets CDN: A Case of Authentication in Delegated Service , 2014, 2014 IEEE Symposium on Security and Privacy.

[23]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[24]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[25]  Wouter Joosen,et al.  Maneuvering Around Clouds: Bypassing Cloud-based Security Providers , 2015, CCS.

[26]  A. Dammer How Secure are Secure Interdomain Routing Protocols , 2011 .

[27]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[28]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[29]  Guido Appenzeller,et al.  Sizing router buffers , 2004, SIGCOMM '04.

[30]  Raj Jain,et al.  Analysis of the Increase and Decrease Algorithms for Congestion Avoidance in Computer Networks , 1989, Comput. Networks.

[31]  Sharon Goldberg,et al.  How secure are secure interdomain routing protocols? , 2014, Comput. Networks.

[32]  Thomas E. Anderson,et al.  One tunnel is (often) enough , 2014, SIGCOMM.

[33]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[34]  Srinivasan Seshan,et al.  XIA: architecting a more trustworthy and evolvable internet , 2014, CCRV.

[35]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[36]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[37]  Nick Feamster,et al.  Broadband internet performance: a view from the gateway , 2011, SIGCOMM.

[38]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[39]  Jennifer Rexford,et al.  Inherently safe backup routing with BGP , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[40]  Amir Herzberg,et al.  LOT: A Defense Against IP Spoofing and Flooding Attacks , 2012, TSEC.

[41]  Amir Herzberg,et al.  CDN-on-Demand: An affordable DDoS Defense via Untrusted Clouds , 2016, NDSS.

[42]  Yao Zhang,et al.  SIBRA: Scalable Internet Bandwidth Reservation Architecture , 2015, NDSS.

[43]  Panganamala Ramana Kumar,et al.  CRAFT: a new secure congestion control architecture , 2010, CCS '10.

[44]  Patrick Fay,et al.  Breakthrough AES Performance with Intel ® AES New Instructions , 2010 .

[45]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[46]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.