Middlepolice: Toward enforcing destination-defined policies in the middle of the internet

Zhuotao Liu, Hao Jiny, Yih Chun Hu, Michael Bailey

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destinationbased control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.

Original languageEnglish (US)
Title of host publicationCCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1268-1279
Number of pages12
ISBN (Electronic)9781450341394
DOIs
StatePublished - Oct 24 2016
Event23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Austria
Duration: Oct 24 2016Oct 28 2016

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
Volume24-28-October-2016
ISSN (Print)1543-7221

Other

Other23rd ACM Conference on Computer and Communications Security, CCS 2016
CountryAustria
CityVienna
Period10/24/1610/28/16

Fingerprint

Internet
Scheduling
Feedback
Bandwidth

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Liu, Z., Jiny, H., Hu, Y. C., & Bailey, M. (2016). Middlepolice: Toward enforcing destination-defined policies in the middle of the internet. In CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1268-1279). (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 24-28-October-2016). Association for Computing Machinery. https://doi.org/10.1145/2976749.2978306

Middlepolice : Toward enforcing destination-defined policies in the middle of the internet. / Liu, Zhuotao; Jiny, Hao; Hu, Yih Chun; Bailey, Michael.

CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2016. p. 1268-1279 (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 24-28-October-2016).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Liu, Z, Jiny, H, Hu, YC & Bailey, M 2016, Middlepolice: Toward enforcing destination-defined policies in the middle of the internet. in CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, vol. 24-28-October-2016, Association for Computing Machinery, pp. 1268-1279, 23rd ACM Conference on Computer and Communications Security, CCS 2016, Vienna, Austria, 10/24/16. https://doi.org/10.1145/2976749.2978306
Liu Z, Jiny H, Hu YC, Bailey M. Middlepolice: Toward enforcing destination-defined policies in the middle of the internet. In CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2016. p. 1268-1279. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/2976749.2978306
Liu, Zhuotao ; Jiny, Hao ; Hu, Yih Chun ; Bailey, Michael. / Middlepolice : Toward enforcing destination-defined policies in the middle of the internet. CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2016. pp. 1268-1279 (Proceedings of the ACM Conference on Computer and Communications Security).
@inproceedings{b7ec73bcab8949ac8ba77432e56616c1,
title = "Middlepolice: Toward enforcing destination-defined policies in the middle of the internet",
abstract = "Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destinationbased control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.",
author = "Zhuotao Liu and Hao Jiny and Hu, {Yih Chun} and Michael Bailey",
year = "2016",
month = "10",
day = "24",
doi = "10.1145/2976749.2978306",
language = "English (US)",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",
pages = "1268--1279",
booktitle = "CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - Middlepolice

T2 - Toward enforcing destination-defined policies in the middle of the internet

AU - Liu, Zhuotao

AU - Jiny, Hao

AU - Hu, Yih Chun

AU - Bailey, Michael

PY - 2016/10/24

Y1 - 2016/10/24

N2 - Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destinationbased control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.

AB - Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destinationbased control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.

UR - http://www.scopus.com/inward/record.url?scp=84995466233&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84995466233&partnerID=8YFLogxK

U2 - 10.1145/2976749.2978306

DO - 10.1145/2976749.2978306

M3 - Conference contribution

AN - SCOPUS:84995466233

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1268

EP - 1279

BT - CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -