Practical Proactive DDoS-Attack Mitigation via Endpoint-Driven In-Network Traffic Control

Volumetric attacks, which overwhelm the bandwidth of a destination, are among the most common distributed denial-of-service (DDoS) attacks today. Despite considerable effort made by both research and industry, our recent interviews with over 100 potential DDoS victims in over 10 industry segments indicate that today’s DDoS prevention is far from perfect. On one hand, few academical proposals have ever been deployed in the Internet; on the other hand, solutions offered by existing DDoS prevention vendors are not silver bullet to defend against the entire attack spectrum. Guided by such large-scale study of today’s DDoS defense, in this paper, we present MiddlePolice, the first readily deployable and proactive DDoS prevention mechanism. We carefully architect MiddlePolice such that it requires no changes from both the Internet core and the network stack of clients, yielding instant deployability in the current Internet architecture. Further, relying on our novel capability feedback mechanism, MiddlePolice is able to enforce destination-driven traffic control so that it guarantees to deliver victim-desired traffic regardless of the attacker strategies. We implement a prototype of MiddlePolice and demonstrate its feasibility via extensive evaluations in the Internet, hardware testbed, and large-scale simulations.

[1]  Panganamala Ramana Kumar,et al.  CRAFT: a new secure congestion control architecture , 2010, CCS '10.

[2]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[3]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[4]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[5]  Xin Zhang,et al.  SCION: Scalability, Control, and Isolation on Next-Generation Networks , 2011, 2011 IEEE Symposium on Security and Privacy.

[6]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[7]  Jennifer Rexford,et al.  Inherently safe backup routing with BGP , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[8]  Wouter Joosen,et al.  Maneuvering Around Clouds: Bypassing Cloud-based Security Providers , 2015, CCS.

[9]  Srinivasan Seshan,et al.  XIA: architecting a more trustworthy and evolvable internet , 2014, CCRV.

[10]  Jianping Wu,et al.  When HTTPS Meets CDN: A Case of Authentication in Delegated Service , 2014, 2014 IEEE Symposium on Security and Privacy.

[11]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[12]  Amir Herzberg,et al.  LOT: A Defense Against IP Spoofing and Flooding Attacks , 2012, TSEC.

[13]  Amir Herzberg,et al.  CDN-on-Demand: An affordable DDoS Defense via Untrusted Clouds , 2016, NDSS.

[14]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[15]  Tom Herbert UDP Encapsulation in Linux , 2015 .

[16]  Bob Briscoe,et al.  Tunnelling of Explicit Congestion Notification , 2010, RFC.

[17]  A. Dammer How Secure are Secure Interdomain Routing Protocols , 2011 .

[18]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[19]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[20]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[21]  Michael Walfish,et al.  DDoS defense by offense , 2006, SIGCOMM 2006.

[22]  Thomas E. Anderson,et al.  Phalanx: Withstanding Multimillion-Node Botnets , 2008, NSDI.

[23]  Argyraki,et al.  Network Capabilities : The Good , the Bad and the Ugly Katerina , 2022 .

[24]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.

[25]  Prateek Mittal,et al.  Mirage: Towards Deployable DDoS Defense for Web Applications , 2011 .

[26]  Yih-Chun Hu,et al.  MiddlePolice: Toward Enforcing Destination-Defined Policies in the Middle of the Internet , 2016, CCS.

[27]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[28]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[29]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[30]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[31]  Yao Zhang,et al.  SIBRA: Scalable Internet Bandwidth Reservation Architecture , 2015, NDSS.

[32]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[33]  Dmitri V. Krioukov,et al.  AS relationships: inference and validation , 2006, CCRV.

[34]  Albert K. T. Hui,et al.  Universal DDoS Mitigation Bypass , 2013 .

[35]  Ramesh K. Sitaraman,et al.  End-User Mapping: Next Generation Request Routing for Content Delivery , 2015, Comput. Commun. Rev..

[36]  Guido Appenzeller,et al.  Sizing router buffers , 2004, SIGCOMM '04.

[37]  Raj Jain,et al.  Analysis of the Increase and Decrease Algorithms for Congestion Avoidance in Computer Networks , 1989, Comput. Networks.

[38]  Thomas E. Anderson,et al.  One tunnel is (often) enough , 2014, SIGCOMM.

[39]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[40]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM 2007.

[41]  Nick Feamster,et al.  Broadband internet performance , 2011, SIGCOMM 2011.

[42]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[43]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.