ABSTRACT
Volumetric distributed denial-of-service (DDoS) attacks can bring any network to a halt. Because of their distributed nature and high volume, the victim often cannot handle these attacks alone and needs help from upstream ISPs. Today's Internet has no automated mechanism for victims to ask ISPs for help in attack handling and ISPs themselves do not offer such services. We propose SENSS, a security service for collaborative mitigation of volumetric DDoS attacks. SENSS enables the victim of an attack to request attack monitoring and filtering on demand, and to pay for the services rendered. Requests can be sent both to the immediate and to remote ISPs, in an automated and secure manner, and can be authenticated by these ISPs, without having prior trust with the victim. Simple and generic SENSS APIs enable victims to build custom detection and mitigation approaches against a variety of DDoS attacks. SENSS is deployable with today's infrastructure, and it has strong economic incentives both for ISPs and for the attack victims. It is also very effective in sparse deployment, offering full protection to direct customers of early adopters, and considerable protection to remote victims when deployed strategically. Deployment on the largest 1% of ISPs protects not just direct customers of these ISPs, but everyone on the Internet, from 90% of volumetric DDoS attacks.
- Katerina Argyraki and David R. Cheriton. 2005. Active Internet Traffic Filtering: Real-time Response to Denial-of-service Attacks. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (ATEC '05). USENIX Association, Berkeley, CA, USA, 10--10. http://dl.acm.org/citation.cfm?id=1247360.1247370 Google ScholarDigital Library
- R. Bajcsy, T. Benzel, M. Bishop, B. Braden, C. Brodley, S. Fahmy, S. Floyd, W. Hardaker, A. Joseph, G. Kesidis, K. Levitt, B. Lindell, P. Liu, D. Miller, R. Mundy, C. Neuman, R. Ostrenga, V. Paxson, P. Porras, C. Rosenberg, J. D. Tygar, S. Sastry, D. Sterne, and S. F. Wu. 2004. Cyber Defense Technology Networking and Evaluation. Commun. ACM 47, 3 (March 2004), 58--61. Google ScholarDigital Library
- Sean Bakley. 2017. From Comcast to Hawaiian Telcom: Tracking the top 16 residential broadband service providers in Q3 2017. FierceTelecom, https://goo.gl/otRTw2.Google Scholar
- Cristina Basescu, Raphael M. Reischuk, Pawel Szalachowski, Adrian Perrig, Yao Zhang, Hsu-Chun Hsiao, Ayumu Kubota, and Jumpei Urakawa. 2015. SIBRA: Scalable Internet Bandwidth Reservation Architecture. CoRR abs/1510.02696 (2015).Google Scholar
- CAIDA. 2017. The CAIDA AS Relationships Dataset, May 01, 2017. http://www.caida.org/data/as-relationships/.Google Scholar
- CloudFlare. 2018. CloudFlare Web page. https://www.cloudflare.com/.Google Scholar
- Tim Dierks and Eric Rescorla. 2008. Rfc 5246: The transport layer security (tls) protocol. The Internet Engineering Task Force 3 (2008).Google Scholar
- Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, and Michael Bailey. 2015. Bohatei: Flexible and Elastic DDoS Defense. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 817--832. Google ScholarDigital Library
- Lixin Gao. 2001. On inferring autonomous system relationships in the Internet. IEEE/ACM Transactions on Networking 9, 6, 733--745. Google ScholarDigital Library
- Michael T. Goodrich. 2008. Probabilistic Packet Marking for Large-scale IP Traceback. IEEE/ACM Transaction on Networking 16, 1 (February 2008), 15--24. Google ScholarDigital Library
- MAWI group. 2017. MAWI Working Group Traffic Archive. http://mawi.wide.ad.jp/mawi/.Google Scholar
- John Ioannidis and Steven M. Bellovin. 2002. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2002, San Diego, California, USA.Google Scholar
- Michael G. Kallitsis, Stilian Stoev, Shrijita Bhattacharya, and George Michailidis. 2015. AMON: An Open Source Architecture for Online Monitoring, Statistical Analysis and Forensics of Multi-gigabit Streams. CoRR abs/1509.00268 (2015).Google Scholar
- Min Suk Kang, Virgil D. Gligor, and Vyas Sekar. 2016. Defending Against Evolving DDoS Attacks: A Case Study Using Link Flooding Incidents. In Security Protocols Workshop (Lecture Notes in Computer Science), Vol. 10368. Springer, 47--57.Google Scholar
- Min Suk Kang, Virgil D. Gligor, and Vyas Sekar. 2016. SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21--24, 2016.Google Scholar
- M. S. Kang, S. B. Lee, and V. D. Gligor. 2013. The Crossfire Attack. In 2013 IEEE Symposium on Security and Privacy. 127--141. Google ScholarDigital Library
- Yoohwan Kim, Wing Cheong Lau, Mooi Choo Chuah, and H. J. Chao. 2006. PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks. IEEE Transactions on Dependable and Secure Computing 3, 2 (April 2006), 141--155. Google ScholarDigital Library
- S. Knight, H. X. Nguyen, N. Falkner, R. Bowden, and M. Roughan. 2011. The Internet Topology Zoo. IEEE Journal on Selected Areas in Communications 29, 9 (October 2011), 1765--1775.Google ScholarCross Ref
- Soo Bum Lee, Min Suk Kang, and Virgil D. Gligor. 2013. CoDef: Collaborative Defense Against Large-scale Link-flooding Attacks. In Proceedings of the Ninth ACM Conference on Emerging Networking Experiments and Technologies (CoNEXT '13). ACM, New York, NY, USA, 417--428. Google ScholarDigital Library
- Xin Liu, Xiaowei Yang, and Yanbin Lu. 2008. To Filter or to Authorize: Network-layer DoS Defense Against Multimillion-node Botnets. In Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication (SIGCOMM '08). ACM, New York, NY, USA, 195--206. Google ScholarDigital Library
- MANRS. 2018. MANRS for Network Operators. https://www.manrs.org/manrs/.Google Scholar
- P Marques, N Sheth, R Raszuk, B Greene, J Mauch, and D McPherson. 2009. Dissemination of Flow Specification Rules. RFC 5575.Google Scholar
- Andrew Mortensen, Flemming Andreasen, Tirumaleswar Reddy, Christopher Gray, Rich Compton, and Nik Teague. 2018. Distributed-Denial-of-Service Open Threat Signaling (DOTS) Architecture. Internet-Draft draft-ietf-dots-architecture-07. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-dots-architecture-07 Work in Progress.Google Scholar
- 360.com NetLab. 2017. A quick stats on the 608,083 Mirai IPs that hit our honeypots in the past 2.5 months. https://goo.gl/NYWMLq.Google Scholar
- Arbor Networks. 2018. DDoS Protection by Arbor Networks APS. https://www.arbornetworks.com/ddos-protection-products/arbor-aps.Google Scholar
- George Oikonomou, Jelena Mirkovic, Peter Reiher, and Max Robinson. 2006. A Framework for a Collaborative DDoS Defense. In ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference. IEEE Computer Society, 33--42. Google ScholarDigital Library
- Vern Paxson. 1999. Bro: A System for Detecting Network Intruders in Real-time. Comput. Netw. 31, 23--24 (December 1999), 2435--2463. Google ScholarDigital Library
- Adrian Perrig, Pawel Szalachowski, Raphael M. Reischuk, and Laurent Chuat. 2017. The SCION Architecture. Springer International Publishing, Cham. 17--42 pages.Google Scholar
- Steve Ranger. 2018. GitHub hit with the largest DDoS attack ever seen. ZD-Net, https://goo.gl/BmqekG.Google Scholar
- Matthew Roughan. 2005. Simplifying the Synthesis of Internet Traffic Matrices. SIGCOMM Comput. Commun. Rev. 35, 5 (October 2005), 93--96. Google ScholarDigital Library
- The New York Times. 2013. How the Cyberattack on Spamhaus Unfolded. http://www.nytimes.com/interactive/2013/03/30/technology/how-the-cyberattack-on-spamhaus-unfolded.html.Google Scholar
- D. Turk. 2004. Configuring BGP to Block Denial-of-Service Attacks. RFC 3882. RFC Editor.Google Scholar
- Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker. 2010. DDoS Defense by Offense. ACM Trans. Comput. Syst. 28, 1, Article 3, 54 pages. Google ScholarDigital Library
- X. Yang, D. Wetherall, and T. Anderson. 2008. TVA: A DoS-Limiting Network Architecture. IEEE/ACM Transactions on Networking 16, 6 (Dec 2008), 1267--1280. Google ScholarDigital Library
- Kyle York. 2016. Dyn Statement on 10/21/2016 DDoS Attack. https://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/.Google Scholar
- Zenedge. 2018. Zenedge Web page. https://www.zenedge.com/.Google Scholar
Index Terms
- SENSS Against Volumetric DDoS Attacks
Recommendations
Survey of network-based defense mechanisms countering the DoS and DDoS problems
This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service ...
RESECT: Self-Learning Traffic Filters for IP Spoofing Defense
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceIP spoofing has been a persistent Internet security threat for decades. While research solutions exist that can help an edge network detect spoofed and reflected traffic, the sheer volume of such traffic requires handling further upstream.
We propose ...
CoDef: collaborative defense against large-scale link-flooding attacks
CoNEXT '13: Proceedings of the ninth ACM conference on Emerging networking experiments and technologiesLarge-scale botnet attacks against Internet links using low-rate flows cannot be effectively countered by any of the traditional rate-limiting and flow-filtering mechanisms deployed in individual routers. In this paper, we present a collaborative ...
Comments