Multifaceted Defense Against Distributed Denial of Service Attacks: Prevention, Detection, Mitigation

Doctoral thesis, 2012

Distributed Denial of Service (DDoS) attacks can be so powerful that they can easily deplete the computing resources or bandwidth of the potential targets, by flooding massive packets. Internet infrastructures and network applications, including social services and communication systems for emergency management, are under the threat of the DDoS problem. This thesis aims at providing efficient methods which can detect and mitigate DDoS attacks, meanwhile keeping the network performance degradation as little as possible. Dealing with DDoS attacks is challenging, due to their multifaceted properties: dynamic attack rates, various kinds of targets, big scale of botnets, etc. Multifaceted nature of DDoS attacks justifies the need for multifaceted defense. Thus we address the DDoS problems from different aspects. In particular, in the thesis we present an adaptive port-hopping method to address application-level DDoS problems. The method enables multiparty applications to communicate via ports changed periodically. Thus, the adversary cannot effectively attack the communication ports of the targets. The proposed method can deal with clock drifts among the communication parties without the need of acknowledgments or time server. To address the bandwidth-flooding attacks, in the thesis, we propose and present SIEVE, a lightweight distributed filtering method. Depending on the adversary's ability, SIEVE can provide a standalone filter for moderate adversary models and a complementary filter which can enhance the performance of strong and more complex methods for stronger adversary models. SIEVE uses an overlay network to form a distributed ``sieve'' and uses lightweight authenticators (e.g. source IP addresses) to filter packets. SIEVE includes also a simple solution to protect connection setup procedures between legitimate clients and protected servers, which can also be applied to address the Denial-of-Capability (DoC) problem. In this thesis we present how to complement network-capability mechanisms by addressing the Denial-of-Capability problem. Mitigating DDoS attacks are challenging not only for the end hosts, but also for the network. By building on earlier work and improving on distribution of control aspects, a proactive method, which we call CluB, is proposed in this thesis to mitigate DDoS attacks. The method balances the effectiveness-overhead trade-off by addressing the issue of granularity of control in the network. CluB can collaborate with different routing policies in the network, including contemporary datagram options. We estimate the effectiveness of the method and also study a set of factors for tuning the granularity of control. The thesis also studies the problem of monitoring high-speed traffic and detecting DDoS-related anomalies in a data streaming fashion to offer a detection at an early stage in the core network, thus activating appropriate DDoS mitigations only when necessary. We propose an IP-prefix based aggregation method to monitor and detect DDoS-related anomalies. Furthermore, we investigate the design space of combining parallel-distributed data streaming with both online detection and baseline profile maintenance, and give detailed solutions for achieving this. The proposed data streaming based DDoS defense solutions are implemented upon a parallel-distributed data stream engine.