Dispersing Asymmetric DDoS Attacks with SplitStack

This paper presents SplitStack, an architecture targeted at mitigating asymmetric DDoS attacks. These attacks are particularly challenging, since attackers can use a limited amount of resources to trigger exhaustion of a particular type of system resource on the server side. SplitStack resolves this by splitting the monolithic stack into many separable components called minimum splittable units (MSUs). If part of the application stack is experiencing a DDoS attack, SplitStack massively replicates just the affected MSUs, potentially across many machines. This allows scaling of the impacted resource separately from the rest of the application stack, so that resources can be precisely added where needed to combat the attack. We validate SplitStack via a preliminary case study, and show that it outperforms naive replication in defending against asymmetric attacks.

[1]  Virgil D. Gligor,et al.  CoDef: collaborative defense against large-scale link-flooding attacks , 2013, CoNEXT.

[2]  Byung-Gon Chun,et al.  CloneCloud: elastic execution between mobile device and cloud , 2011, EuroSys '11.

[3]  Ross J. Anderson,et al.  The XenoService { A Distributed Defeat for Distributed Denial of Service , 2000 .

[4]  Jan Midtgaard,et al.  Control-flow analysis of functional programs , 2007, CSUR.

[5]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[6]  W. Eddy Defenses Against TCP SYN Flooding Attacks , 2007 .

[7]  Terry V. Benzel The science of cyber security experimentation: the DETER project , 2011, ACSAC '11.

[8]  Peter Marwedel,et al.  A Unified WCET Analysis Framework for Multi-core Platforms , 2012, 2012 IEEE 18th Real Time and Embedded Technology and Applications Symposium.

[9]  Chin-Tser Huang,et al.  Cloud Security , 2016, IEEE Cloud Comput..

[10]  Sivan Toledo,et al.  Wishbone: Profile-based Partitioning for Sensornet Applications , 2009, NSDI.

[11]  David A. Cieslak,et al.  Using selective, short-term memory to improve resilience against DDoS exhaustion attacks , 2008, Secur. Commun. Networks.

[12]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[13]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[14]  Saikat Guha,et al.  ShutUp: End-to-End Containment of Unwanted Traffic , 2008 .

[15]  Olin Shivers,et al.  Control flow analysis in scheme , 1988, PLDI '88.

[16]  Andrew C. Myers,et al.  Using replication and partitioning to build secure distributed systems , 2003, 2003 Symposium on Security and Privacy, 2003..

[17]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[18]  Yannis Smaragdakis,et al.  J-Orchestra: Enhancing Java programs with distribution capabilities , 2009, TSEM.

[19]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[20]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[21]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[22]  Dong Lin,et al.  Scalanytics: a declarative multi-core platform for scalable composable traffic analytics , 2013, HPDC.

[23]  Albert G. Greenberg,et al.  Ananta: cloud scale load balancing , 2013, SIGCOMM.

[24]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[25]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[26]  Sameh Elnikety,et al.  Orbe: scalable causal consistency using dependency matrices and physical clocks , 2013, SoCC.

[27]  Trent Jaeger,et al.  The SawMill multiserver approach , 2000, EW 9.

[28]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[29]  Gil Neiger,et al.  Causal memory: definitions, implementation, and programming , 1995, Distributed Computing.