DynaShield: Reducing the Cost of DDoS Defense using Cloud Services

Fueled by IoT botnets and DDoS-as-a-Service tools, distributed denial of service (DDoS) attacks have reached record high volumes. Although there exist DDoS protection services, they can be costly for small organizations as well as individual users. In this paper, we present a low-cost DDoS solution, DynaShield, which a user can deploy at common cloud service providers. DynaShield employs three techniques to reduce cost. First, it uses an on-demand model. A server dynamically updates its DNS record to redirect clients’ traffic to DynaShield when it is under attack, avoiding paying for cloud services during peacetime. Second, DynaShield combines serverless functions and elastic servers provided by cloud providers to auto-scale to large attacks without overprovisioning. Third, DynaShield uses cryptocurrency puzzles as proof of work. The coin mining profit can further offset a protected server’s cloud service charges. Our preliminary evaluation suggests that DynaShield can cost as little as a few dollars per month to prevent an organization from common DDoS attacks.

[1]  K. Srinivas,et al.  Preventing Internet Denial-Of-Service with Capabilities , 2013 .

[2]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[3]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[4]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[5]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.

[6]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[7]  Lazy Susan: dumb waiting as proof of work , 2007 .

[8]  Thomas E. Anderson,et al.  Phalanx: Withstanding Multimillion-Node Botnets , 2008, NSDI.

[9]  Argyraki,et al.  Network Capabilities : The Good , the Bad and the Ugly Katerina , 2022 .

[10]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[11]  Elaine Shi,et al.  OverDoSe: A Generic DDoS Protection Service Using an Overlay Network , 2006 .

[12]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[13]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM 2007.

[14]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[15]  Vyas Sekar,et al.  SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks , 2016, NDSS.

[16]  Robert Raszuk,et al.  Dissemination of Flow Specification Rules , 2009, RFC.

[17]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[18]  David E. Culler,et al.  PlanetLab: an overlay testbed for broad-coverage services , 2003, CCRV.

[19]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.

[20]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[21]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[22]  David Wetherall,et al.  TVA: a DoS-limiting network architecture , 2008, TNET.

[23]  Yih-Chun Hu,et al.  MiddlePolice: Toward Enforcing Destination-Defined Policies in the Middle of the Internet , 2016, CCS.