Mitigating distributed denial-of-service attacks: Application-defense and network-defense methods
Paper i proceeding, 2012
Distributed Denial of Service (DDoS) attacks can be so powerful that they can easily deplete the computing resources or bandwidth of the potential targets. Based on the types of the targets, DDoS attacks can be addressed in two levels: application-level and network-level. Taking the network-based applications into consideration, a weak point is that they commonly open some known communication port(s), making themselves targets for denial of service (DoS) attacks. Considering adversaries that can eavesdrop and launch directed DoS attacks to the applications' open ports, solutions based on pseudorandom port-hopping have been suggested [1], [5], where applications defend the attacks to the communication ports by changing them periodically. As port-hopping needs the communicating parties to "hop" in a synchronized manner, these solutions suggest acknowledgment-based protocols between a client-server pair or assume the presence of synchronized clocks. Acknowledgments, if lost, can cause a port to be open for longer time and thus be vulnerable to DoS attacks, time servers for synchronizing clocks can become targets to DoS attack themselves. Following this line of research, in [2] we proposed a solution for port-hopping in the presence of clock-drifts, which are common in networking. The solution basically consists of two algorithms: H O P ER AA and B IG W HEEL. H O P ER AA enables each client to interact with the server independently of the other clients, B IG W HEEL enables a server to communicate with multiple clients in a port-hopping manner, without synchronizing with each client individually, which supports multi-party applications as well. Anti-DDoS solutions in the application-level, such as port-hopping, are ineffective when the DDoS attacks aim to congest the victim's network. Victims may need the help from network-based (i.e. in the router level) solutions to solve the problem. Among the network-based solutions against DDoS attacks, network-capability mechanism is a novel approach [6]. A capability is a ticket-like token, checkable by routers, that a server can issue for legitimate traffic. Still, malicious hosts may swamp a server with requests for capability establishment, essentially causing possible Denial-of-Capability (DoC). In [4] we proposed an algorithm to mitigate DoC attacks. With this algorithm, the legitimate hosts can get service with guaranteed probability. The algorithm divides the server's capacity for handling capability requests into quotas. Quotas are allocated based on a sink tree architecture. Randomization and Bloom filters are used as tools against threats (attacking scenarios). Issues on fault-tolerance and the deployment of the approach proposed were also addressed in [4]. The algorithm is not only suitable for solving DoC problem, but also suitable for general authentication-based solution against DDoS attacks, since legitimate hosts always need to get the secret for generating authentication tokens before sending data packets to the server. Mitigating DDoS attacks are challenging not only for the targets of the attacks, but also for the network, as large volume of illegitimate traffic share the same network resources as legitimate traffic and can furthermore causes congestion phenomena and performance degradation. Considering malicious traffic, we would like ideally to disallow it completely from consuming network resources. To achieve that, the malicious traffic should be controlled as close to the source(s) as possible. It is observed that there is a trade-off between the protection level of the network and the efficiency/overhead of the protecting method. By building on earlier work and improving on distribution of control aspects, in [3] we proposed a proactive method, called CluB, to mitigate DDoS attacks. The method balances the effectiveness-overhead trade-off by addressing the issue of granularity of control in the network. CluB can collaborate with different routing policies in the network, including contemporary data gram options. In [3] we estimated the effectiveness of th method and also studied a set of factors for tuning the granularity of control.