Middlepolice: Toward enforcing destination-defined policies in the middle of the internet

Zhuotao Liu; Hao Jiny; Yih Chun Hu; Michael Bailey

doi:10.1145/2976749.2978306

Middlepolice: Toward enforcing destination-defined policies in the middle of the internet

Zhuotao Liu, Hao Jiny, Yih Chun Hu, Michael Bailey

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destinationbased control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.

Original language	English (US)
Title of host publication	CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	1268-1279
Number of pages	12
ISBN (Electronic)	9781450341394
DOIs	https://doi.org/10.1145/2976749.2978306
State	Published - Oct 24 2016
Event	23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Austria Duration: Oct 24 2016 → Oct 28 2016

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
Volume	24-28-October-2016
ISSN (Print)	1543-7221

Other

Other	23rd ACM Conference on Computer and Communications Security, CCS 2016
Country/Territory	Austria
City	Vienna
Period	10/24/16 → 10/28/16

ASJC Scopus subject areas

Software
Computer Networks and Communications

Online availability

10.1145/2976749.2978306

Library availability

Discover UIUC Full Text

Cite this

Liu, Z., Jiny, H., Hu, Y. C., & Bailey, M. (2016). Middlepolice: Toward enforcing destination-defined policies in the middle of the internet. In CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1268-1279). (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 24-28-October-2016). Association for Computing Machinery. https://doi.org/10.1145/2976749.2978306

Middlepolice: Toward enforcing destination-defined policies in the middle of the internet. / Liu, Zhuotao; Jiny, Hao; Hu, Yih Chun et al.
CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2016. p. 1268-1279 (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 24-28-October-2016).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Liu, Z, Jiny, H, Hu, YC & Bailey, M 2016, Middlepolice: Toward enforcing destination-defined policies in the middle of the internet. in CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, vol. 24-28-October-2016, Association for Computing Machinery, pp. 1268-1279, 23rd ACM Conference on Computer and Communications Security, CCS 2016, Vienna, Austria, 10/24/16. https://doi.org/10.1145/2976749.2978306

Liu Z, Jiny H, Hu YC, Bailey M. Middlepolice: Toward enforcing destination-defined policies in the middle of the internet. In CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2016. p. 1268-1279. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/2976749.2978306

Liu, Zhuotao ; Jiny, Hao ; Hu, Yih Chun et al. / Middlepolice : Toward enforcing destination-defined policies in the middle of the internet. CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2016. pp. 1268-1279 (Proceedings of the ACM Conference on Computer and Communications Security).

@inproceedings{b7ec73bcab8949ac8ba77432e56616c1,

title = "Middlepolice: Toward enforcing destination-defined policies in the middle of the internet",

abstract = "Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destinationbased control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.",

author = "Zhuotao Liu and Hao Jiny and Hu, {Yih Chun} and Michael Bailey",

note = "Funding Information: We thank the anonymous CCS reviewers for their valuable feedback. This material is based upon work partially supported by NSF under Contract Nos. CNS-0953600, CNS-1505790 and CNS-1518741. The views and conclusions contained here are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either express or implied, of NSF, the University of Illinois, or the U.S. Government or any of its agencies. Publisher Copyright: {\textcopyright} 2016 Copyright held by the owner/author(s).; 23rd ACM Conference on Computer and Communications Security, CCS 2016 ; Conference date: 24-10-2016 Through 28-10-2016",

year = "2016",

month = oct,

day = "24",

doi = "10.1145/2976749.2978306",

language = "English (US)",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "1268--1279",

booktitle = "CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - Middlepolice

T2 - 23rd ACM Conference on Computer and Communications Security, CCS 2016

AU - Liu, Zhuotao

AU - Jiny, Hao

AU - Hu, Yih Chun

AU - Bailey, Michael

N1 - Funding Information: We thank the anonymous CCS reviewers for their valuable feedback. This material is based upon work partially supported by NSF under Contract Nos. CNS-0953600, CNS-1505790 and CNS-1518741. The views and conclusions contained here are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either express or implied, of NSF, the University of Illinois, or the U.S. Government or any of its agencies. Publisher Copyright: © 2016 Copyright held by the owner/author(s).

PY - 2016/10/24

Y1 - 2016/10/24

N2 - Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destinationbased control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.

AB - Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destinationbased control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.

UR - http://www.scopus.com/inward/record.url?scp=84995466233&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84995466233&partnerID=8YFLogxK

U2 - 10.1145/2976749.2978306

DO - 10.1145/2976749.2978306

M3 - Conference contribution

AN - SCOPUS:84995466233

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1268

EP - 1279

BT - CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 24 October 2016 through 28 October 2016

ER -

Middlepolice: Toward enforcing destination-defined policies in the middle of the internet

Abstract

Publication series

Other

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this