Sorting the Garbage: Filtering Out DRDoS Amplification Traffic in ISP Networks

Distributed Reflected Denial of Service (DRDoS) attacks have been continuing to grow unprecedentedly in the recent years. Attackers abuse genuine services running some application protocols built over UDP to generate amplified traffic targeting victim network. An Internet Service Provider (ISP) may host hundreds or even thousands of hosts running these vulnerable protocols that could become amplifier nodes in DRDoS attacks. If abused, they can collectively cause large volumes of garbage amplification traffic flowing out of the ISP network. This wasteful bandwidth consumption costs the provider money and loss of Quality of Service (QoS) to its customers. Moreover, the owners of services vulnerable to amplification have to spend their resources to process illicit requests. In this paper, we propose a novel idea to filter out garbage traffic from an ISP network. We employ a special type of a honeypot that collects information about ongoing DRDoS attacks, and Software Defined Network (SDN) paradigm offering us a unified interface to deploy firewall rules on a large variety of network devices. The rules block incoming amplification requests from reaching amplifiers located within the provider network rescuing vulnerable services from being abused. This prevents garbage traffic from leaving the network enabling the provider to save money and improve QoS. Moreover, our solution also contributes to victim's liveliness because it reduces the attack traffic reaching the target network. In addition, it stimulates ISPs to implement ingress filtering best practices for all its network routers in order to minimize damage from an attacker located in the same network.

[1]  Marc St-Hilaire,et al.  Early detection of DDoS attacks against SDN controllers , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).

[2]  Yang Hu,et al.  A defense mechanism against the DNS amplification attack in SDN , 2016, 2016 IEEE International Conference on Network Infrastructure and Digital Content (IC-NIDC).

[3]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[4]  Ahmed Toumanari,et al.  Survey of Security in Software-Defined Network , 2017 .

[5]  Lixin Gao,et al.  The extent of AS path inflation by routing policies , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[6]  Michael Backes,et al.  Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks , 2016, CCS.

[7]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[8]  Aupetit Michael,et al.  Visualization of actionable knowledge to mitigate DRDoS attacks , 2016 .

[9]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[10]  Flemming Andreasen,et al.  Distributed-Denial-of-Service Open Threat Signaling (DOTS) Architecture , 2020 .

[11]  Laure Berti-Équille,et al.  Profiling DRDoS Attacks with Data Analytics Pipeline , 2017, CIKM.

[12]  Robert Raszuk,et al.  Dissemination of Flow Specification Rules , 2009, RFC.

[13]  Zainal Abidin,et al.  DNS amplification attack detection and mitigation via sFlow with security-centric SDN , 2017, IMCOM.

[14]  Michael Backes,et al.  On the Feasibility of TTL-Based Filtering for DRDoS Mitigation , 2016, RAID.

[15]  Shi-Chun Tsai,et al.  Detecting amplification attacks with Software Defined Networking , 2017, 2017 IEEE Conference on Dependable and Secure Computing.

[16]  Ahmad Y. Javaid,et al.  A Deep Learning Based DDoS Detection System in Software-Defined Networking (SDN) , 2016, EAI Endorsed Trans. Security Safety.

[17]  Ramesh Chandra Joshi,et al.  Detection and Honeypot Based Redirection to Counter DDoS Attacks in ISP Domain , 2007, Third International Symposium on Information Assurance and Security.

[18]  Rakesh Kumar,et al.  Interface to Network Security Functions (I2NSF): Problem Statement and Use Cases , 2017, RFC.

[19]  Zonghua Zhang,et al.  Towards Autonomic DDoS Mitigation using Software Defined Networking , 2015 .

[20]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[21]  Paul Barford,et al.  Fast, accurate simulation for SDN prototyping , 2013, HotSDN '13.

[22]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[23]  Marina Thottan,et al.  Latency in Software Defined Networks: Measurements and Mitigation Techniques , 2015, SIGMETRICS.

[24]  Jun Li,et al.  Drawbridge: software-defined DDoS-resistant traffic engineering , 2014, SIGCOMM.

[25]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[26]  Michael Backes,et al.  Linking Amplification DDoS Attacks to Booter Services , 2017, RAID.