Skip to main content
SpringerLink
Log in

Defending Against Evolving DDoS Attacks: A Case Study Using Link Flooding Incidents

  • Conference paper
  • First Online:
Security Protocols XXIV (Security Protocols 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10368))

Included in the following conference series:

Abstract

Distributed denial-of-service (DDoS) attacks are constantly evolving. Over the last few years, we have observed increasing evidence of attack evolution in multiple dimensions (e.g., attack goals, capabilities, and strategies) and wide-ranging timescales; e.g., from seconds to months. In this paper, we discuss the recent evolution of DDoS attacks and challenges of countering them. In particular, we focus on the evolution one of the most insidious DDoS attacks, namely link-flooding attacks, as a case study. To address the challenges posed by these attacks, we propose a two-tier defense that can be effectively implemented using emerging network technologies. The first tier is based on a deterrence mechanism whereas the second requires inter-ISP collaboration.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A flow is defined by 5-tuple, which is a stream of packets having the same source and destination IP addresses, same source and destination port numbers, and same protocol number.

  2. 2.

    For example, the adversary’s cost of flooding a 10 Gbps with bots whose uplink bandwidth is only 1 Mbps averaged about $920 with a minimum of about $80 in the US in 2011 [10]. In contrast, the cost of 10 Gbps bandwidth in Internet transit was about $6,300 in 2015 [1]. This represents a cost advantage of 7–80 times of the adversary over the defender.

  3. 3.

    The market involves many layers of businesses, including equipment companies, optical cable companies, undersea cable companies, Internet exchange points (IXPs), etc.

References

  1. Internet transit pricing: historical and projected. http://drpeering.net/white-papers/Internet-Transit-Pricing-Historical-And-Projected.php

  2. Open flow. https://www.opennetworking.org

  3. Akamai: The state of the internet 2nd quarter. Report (2012)

    Google Scholar 

  4. Alwabel, A., Yu, M., Zhang, Y., Mirkovic, J.: SENSS: observe and control your own traffic in the Internet. In: Proceeding of ACM SIGCOMM (2014)

    Google Scholar 

  5. Arbor Networks: Worldwide infrastructure security report, volume IX. Arbor Special Report (2014)

    Google Scholar 

  6. Barker, I.: 2016 will see the rise of DDoS-as-a-service. In: BetaNews (Dec 28 2015). http://betanews.com/2015/12/28/2016-will-see-the-rise-of-ddos-as-a-service/

  7. Basescu, C., Reischuk, R.M., Szalachowski, P., Perrig, A., Zhang, Y., Hsiao, H.C., Kubota, A., Urakawa, J.: SIBRA: Scalable internet bandwidth reservation architecture. In: Proceeding of NDSS (2016)

    Google Scholar 

  8. Beverly, R., Koga, R., Claffy, K.: Initial longitudinal analysis of IP source spoofing capability on the Internet (2013)

    Google Scholar 

  9. Bright, P.: Can a DDoS break the Internet? Sure.. just not all of it. In: Ars Technica (2 April 2013). http://arstechnica.com/security/2013/04/can-a-ddos-break-the-internet-sure-just-not-all-of-it/

  10. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: The commoditization of malware distribution. In: Proceeding of USENIX Security (2011)

    Google Scholar 

  11. Cerf, V.: The freedom to be who you want to be: strong authentication and pseudonymity on the internet. In: RSA Conference (2013)

    Google Scholar 

  12. FCC: April 2014 Multistate 911 Outage: Cause and Impact. Public Safety Docket No. 14–72, PSHSB Case File Nos. 14-CCR-0001-0007 (2014)

    Google Scholar 

  13. Ferguson, P.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. IETF RFC2827 (2000)

    Google Scholar 

  14. Gligor, V.D.: A note on the denial-of-service problem. In: Proceeding of IEEE Security and Privacy (1983)

    Google Scholar 

  15. Gligor, V.: Dancing with the adversary: a tale of wimps and giants. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 100–115. Springer, Cham (2014). doi:10.1007/978-3-319-12400-1_11

    Google Scholar 

  16. Goodin, D.: How extorted e-mail provider got back online after crippling DDoS attack. In: Ars Technica, (10 November 2015). http://arstechnica.com/security/2015/11/ how-extorted-e-mail-provider-got-back-online-after-crippling-ddos-attack/

  17. Greene, T.: Bot-herders can launch DDoS attacks from dryers, refrigerators, other Internet of things devices. In: NetworkWorld (24 September 2014)

    Google Scholar 

  18. Hui, K.-L., Kim, S.-H., Wang, Q.-H.: Marginal deterrence in the enforcement of law: evidence from distributed denial of service attack. In: Workshop on Analytics for Business, Consumer and Social Insights (BCSI). Singapore, August 2013

    Google Scholar 

  19. Kang, M.S., Gligor, V.D.: Routing bottlenecks in the internet: causes, exploits, and countermeasures. In: Proceeding of ACM CCS (2014)

    Google Scholar 

  20. Kang, M.S., Gligor, V.D., Sekar, V.: SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks. In: Proceedings of NDSS (2016)

    Google Scholar 

  21. Kang, M.S., Lee, S.B., Gligor, V.D.: The Crossfire Attack. In: Proceeding of IEEE S and P (2013)

    Google Scholar 

  22. Karami, M., McCoy, D.: Understanding the emerging threat of DDoS-as-a-service. In: Proceeding of USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2013)

    Google Scholar 

  23. Khandelwal, S.: 602 Gbps! This may have been the largest DDoS attack in history. In: NetworkWorld (8 January 2016)

    Google Scholar 

  24. Lee, S.B., Kang, M.S., Gligor, V.D.: CoDef: collaborative defense against large-scale link-flooding attacks. In: Proceedinf of ACM CoNEXT (2013)

    Google Scholar 

  25. Mo, Y., Kim, T.H.J., Brancik, K., Dickinson, D., Lee, H., Perrig, A., Sinopoli, B.: Cyber-physical security of a smart grid infrastructure. Proc. IEEE 100(1), 195–209 (2012)

    Article  Google Scholar 

  26. Mortensen, A.: DDoS Open Threat Signaling Requirements. IETF draft-mortensen-threat-signaling-requirements-00 (2015)

    Google Scholar 

  27. NENA: NENA i3 Technical Requirements Document. NENA VoIP/Packet Technical Committee Long Term Definition Working Group (2006)

    Google Scholar 

  28. Nussman, C.: DHS Bulletin on Telephony Denial of Service (TDOS) attacks on PSAPs. In: National Emergency Number Association (NENA), (17 March 2013). https://www.nena.org/news/119592/DHS-Bulletin-on-Denial-of-Service-TDoS-Attacks-on-PSAPs.htm

  29. Patterson, D.: Exclusive: inside the ProtonMail siege: how two small companies fought off one of Europe’s largest DDoS attacks. In: TechRepublic, (13 November 2015). http://www.techrepublic.com/article/exclusive-inside-the-protonmail-siege-how-two-small-companies-fought-off-one-of-europes-largest-ddos/

  30. Png, I.P., Wang, C.Y., Wang, Q.H.: The deterrent and displacement effects of information security enforcement: International evidence. J. Manag. Inf. Syst. 25, 125–144 (2008)

    Article  Google Scholar 

  31. Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceeding of NDSS (2014)

    Google Scholar 

  32. Storm, D.: Biggest DDoS attack in history slows Internet, breaks record at 300 Gbps. In: ComputerWorld (27 March 2013)

    Google Scholar 

  33. Studer, A., Perrig, A.: The coremelt attack. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 37–52. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04444-1_3

    Chapter  Google Scholar 

  34. Xu, Q., Huang, J., Wang, Z., Qian, F., Gerber, A., Mao, Z.M.: Cellular data network infrastructure characterization and implication on mobile content placement. In: Proceeding of ACM SIGMETRICS (2011)

    Google Scholar 

  35. Xu, Z., Wang, H., Xu, Z., Wang, X.: Power attack: An increasing threat to data centers. In: Proceeding of NDSS (2014)

    Google Scholar 

  36. Yu, C.F., Gligor, V.D.: A formal specification and verification method for the prevention of denial of service. In: Proceeding of IEEE Security and Privacy (1988)

    Google Scholar 

  37. Yu, M., Jose, L., Miao, R.: Software defined traffic measurement with opensketch. In: Proceeding of USENIX NSDI (2013)

    Google Scholar 

  38. Yu, T., Sekar, V., Seshan, S., Agarwal, Y., Xu, C.: Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In: Proceeding of HotNets (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, PA, USA

    Min Suk Kang, Virgil D. Gligor & Vyas Sekar

Authors
  1. Min Suk Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Virgil D. Gligor
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vyas Sekar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Virgil D. Gligor .

Editor information

Editors and Affiliations

  1. Memorial University, St. John’s, Newfoundland and Labrador, Canada

    Jonathan Anderson

  2. Faculty of Informatics, Masaryk University, Brno, Czech Republic

    Vashek Matyáš

  3. University of Hertfordshire, Hertfordshire, United Kingdom

    Bruce Christianson

  4. University of Cambridge, Cambridge, United Kingdom

    Frank Stajano

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Kang, M.S., Gligor, V.D., Sekar, V. (2017). Defending Against Evolving DDoS Attacks: A Case Study Using Link Flooding Incidents. In: Anderson, J., Matyáš, V., Christianson, B., Stajano, F. (eds) Security Protocols XXIV. Security Protocols 2016. Lecture Notes in Computer Science(), vol 10368. Springer, Cham. https://doi.org/10.1007/978-3-319-62033-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-62033-6_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-62032-9

  • Online ISBN: 978-3-319-62033-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation