Hiroshi Fujinoki
ABSTRACT
Several overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server computers. The recent evolutions in DDoS attacks, especially in the increase in the number of bots involved in a DDoS attack and in the degree of control such bots have to the hijacked host computers, cause serious threats to the overlay-based solutions. We designed and assessed the potential of the new overlay-based security architecture that addresses the recent evolutions in DDoS attacks. The new security architecture, called "Dynamic Binary User-Splits (DBUS)", is designed to protect cloud servers (a) when their legitimate users convert to DoS/DDoS attackers or (b) when DDoS attacks are launched from the legitimate users' host computers that are hijacked by DDoS coordinators. DBUS copes with the situations by sieving attacking traffic from the hijacked legitimate users' host computers using dynamic binary user splits over the migrating entry points to an overlay network. Our discrete event driven simulation suggested that DBUS will efficiently sieve DDoS attacking hosts in many different situations, when a small number of attacking hosts hide behind a large legitimate user group, or when a stampede of DDoS attacking hosts occupy the majority of incoming traffic, without requiring a large number of migrating entry points. We also found that how quickly each migrating entry point can detect excess traffic is a key to keep convergence delay short.
- Sherif Khattab, Chatree Sangpachatanaruk, Rami Melhem, Daniel Moss$$'e and Taieb Znati, "Proactive Server Roaming for Mitigating Denial-of-Service Attacks," Proceedings of International Conference on Information Technology Research and Education, 2003, 286-290.Google Scholar
- Florin Sultan, Kiran Srinivasan, Deepa Iyer, and Liviu Iftode Ý, "Migratory TCP: Connection Migration for Service Continuity in the Internet," Proceedings of the International Conference on Distributed Computing Systems, 2002, 469-470. Google ScholarDigital Library
- T. Okumura, D. Mosse, M. Minami, and O. Nakamura, "Operating system support for network control: a virtual network interface approach for end-host Oss," Proceedings of IEEE International Workshop on Quality of Service, 2002, 170-179.Google Scholar
- Venkata K. Pingali and Joseph D. Touch, "Protecting Public Servers from DDoS Attacks Using Drifting Overlays," Proceedings of the IEEE Computer and Information Technology Workshops, 2008, 270-272.Google Scholar
- Angelos Stavrou and Angelos D. Keromytis, "Countering DoS Attacks with Stateless Multipath Overlays," Proceedings of the ACM Conference on Computer and Communications Security, 2005, 249--259. Google ScholarDigital Library
- Jinu Kurian and Kamil Sarac, "Provider provisioned overlay networks and their utility in DoS defense," Proceedings of IEEE Global Telecommunications Conference, 2007, 474-479.Google Scholar
- Sherif Khattab, Rami Melhem, Daniel Moss$$'e, and Taieb Znati, "Honeypot Back-propagation for Mitigating Spoofing Distributed Denial-of-Service Attacks," Proceedings of the IEEE International Parallel and Distributed Processing Symposium, 2006, 1152-1164.Google Scholar
- Sherif Khattab, Chatree Sangpachatanarukz, Daniel Moss$$'e, Rami Melhemx, and Taieb Znatixz, "Roaming Honeypots for Mitigating Service-level Denial-of-Service Attacks," Proceedings of International Conference on Distributed Computing Systems, 2004, 328-337. Google ScholarDigital Library
- Debra L. Cook, William G. Morein, Angelos D. Keromytis, Vishal Misra, and Daniel Rubenstein, "WebSOS: Protecting Web Servers from DDoS Attacks," Proceedings of the IEEE International Conference on Networks, 2003, 455-460.Google Scholar
- Chatree Sangpachatanaruk, Sherif M. Khattab, Taieb Znati, Rami Melhem, and Daniel Moss$$'e, "A Simulation Study of the Proactive Server Roaming for Mitigating Denial of Service Attacks," Proceedings of the Annual Symposium on Simulation, 2003, 7-14. Google ScholarDigital Library
- Marco Canini, Damien Fay, David J. Miller, Andrew W. Moore, and Raffaele Bolla, "Per Flow Packet Sampling for High-Speed Network Monitoring," Proceedings of the Communication Systems and Networks and Workshops, 2009, 1-10. Google ScholarDigital Library
- Andrei Broder and Michael Mitzenmacher, "Network Applications of Bloom Filters: A Survey," Internet Mathematics, vol. 1, no. 4, 2002, 485-509.Google ScholarCross Ref
Index Terms
- Dynamic Binary User-Splits to Protect Cloud Servers from DDoS Attacks
Recommendations
SENSS Against Volumetric DDoS Attacks
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications ConferenceVolumetric distributed denial-of-service (DDoS) attacks can bring any network to a halt. Because of their distributed nature and high volume, the victim often cannot handle these attacks alone and needs help from upstream ISPs. Today's Internet has no ...
Securing Cloud Servers Against Flooding Based DDOS Attacks
CSNT '13: Proceedings of the 2013 International Conference on Communication Systems and Network TechnologiesCloud computing is still a juvenile and most dynamic field characterized by a buzzing IT industry. Virtually every industry and even some parts of the public sector are taking on cloud computing today, either as a provider or as a consumer. It has now ...
Comments