Practical Proactive DDoS-Attack Mitigation via Endpoint-Driven In-Network Traffic Control

Zhuotao Liu; Hao Jin; Yih Chun Hu; Michael Bailey

doi:10.1109/TNET.2018.2854795

Practical Proactive DDoS-Attack Mitigation via Endpoint-Driven In-Network Traffic Control

Zhuotao Liu, Hao Jin, Yih Chun Hu, Michael Bailey

Research output: Contribution to journal › Article › peer-review

Abstract

Volumetric attacks, which overwhelm the bandwidth of a destination, are among the most common distributed denial-of-service (DDoS) attacks today. Despite considerable effort made by both research and industry, our recent interviews with over 100 potential DDoS victims in over 10 industry segments indicate that today's DDoS prevention is far from perfect. On one hand, few academical proposals have ever been deployed in the Internet; on the other hand, solutions offered by existing DDoS prevention vendors are not silver bullet to defend against the entire attack spectrum. Guided by such large-scale study of today's DDoS defense, in this paper, we present MiddlePolice, the first readily deployable and proactive DDoS prevention mechanism. We carefully architect MiddlePolice such that it requires no changes from both the Internet core and the network stack of clients, yielding instant deployability in the current Internet architecture. Further, relying on our novel capability feedback mechanism, MiddlePolice is able to enforce destination-driven traffic control so that it guarantees to deliver victim-desired traffic regardless of the attacker strategies. We implement a prototype of MiddlePolice and demonstrate its feasibility via extensive evaluations in the Internet, hardware testbed, and large-scale simulations.

Original language	English (US)
Article number	8418343
Pages (from-to)	1948-1961
Number of pages	14
Journal	IEEE/ACM Transactions on Networking
Volume	26
Issue number	4
DOIs	https://doi.org/10.1109/TNET.2018.2854795
State	Published - Aug 2018

Keywords

Network security
internet technology
middle-boxes

ASJC Scopus subject areas

Software
Computer Science Applications
Computer Networks and Communications
Electrical and Electronic Engineering

Access to Document

10.1109/TNET.2018.2854795

Fingerprint Dive into the research topics of 'Practical Proactive DDoS-Attack Mitigation via Endpoint-Driven In-Network Traffic Control'. Together they form a unique fingerprint.

Cite this

@article{c617da479c9f48168385a293667bc0e8,

title = "Practical Proactive DDoS-Attack Mitigation via Endpoint-Driven In-Network Traffic Control",

abstract = "Volumetric attacks, which overwhelm the bandwidth of a destination, are among the most common distributed denial-of-service (DDoS) attacks today. Despite considerable effort made by both research and industry, our recent interviews with over 100 potential DDoS victims in over 10 industry segments indicate that today's DDoS prevention is far from perfect. On one hand, few academical proposals have ever been deployed in the Internet; on the other hand, solutions offered by existing DDoS prevention vendors are not silver bullet to defend against the entire attack spectrum. Guided by such large-scale study of today's DDoS defense, in this paper, we present MiddlePolice, the first readily deployable and proactive DDoS prevention mechanism. We carefully architect MiddlePolice such that it requires no changes from both the Internet core and the network stack of clients, yielding instant deployability in the current Internet architecture. Further, relying on our novel capability feedback mechanism, MiddlePolice is able to enforce destination-driven traffic control so that it guarantees to deliver victim-desired traffic regardless of the attacker strategies. We implement a prototype of MiddlePolice and demonstrate its feasibility via extensive evaluations in the Internet, hardware testbed, and large-scale simulations.",

keywords = "Network security, internet technology, middle-boxes",

author = "Zhuotao Liu and Hao Jin and Hu, {Yih Chun} and Michael Bailey",

note = "Funding Information: Manuscript received September 29, 2017; revised June 16, 2018; accepted June 30, 2018; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor W. Lou. Date of publication July 23, 2018; date of current version August 16, 2018. This work was supported by the National Science Foundation under Grants CNS-1717313, IIP-1758179, and CNS-0953600. Part of the material in this work appears in [1]. (Corresponding author: Zhuotao Liu.) Z. Liu, Y.-C. Hu, and M. Bailey are with the Electrical and Computer Engineering Department, University of Illinois at Urbana–Champaign, Urbana, IL 61801 USA (e-mail: zliu48@illinois.edu; yihchun@illinois.edu; mdbailey@illinois.edu). Funding Information: II. DDOS DEFENSE TODAY Before discussing our proposed system, we first present our study of current status of real-world DDoS attacks and defense. Supported by the NSF Innovation Corps program under grant IIP-1758179, we interviewed more than 100 security engineers/administrators from over ten industrial segments, including hosting companies, financial departments, online gaming providers, military contractors, government institutes, medical foundations, and existing DDoS prevention vendors. To the best of our knowledge, in the research community, this is the first comprehensive study of DDoS prevention from the perspective of security experts that are the first-line DDoS defenders. Our analysis highlights following key observations.",

year = "2018",

month = aug,

doi = "10.1109/TNET.2018.2854795",

language = "English (US)",

volume = "26",

pages = "1948--1961",

journal = "IEEE/ACM Transactions on Networking",

issn = "1063-6692",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "4",

}

TY - JOUR

T1 - Practical Proactive DDoS-Attack Mitigation via Endpoint-Driven In-Network Traffic Control

AU - Liu, Zhuotao

AU - Jin, Hao

AU - Hu, Yih Chun

AU - Bailey, Michael

N1 - Funding Information: Manuscript received September 29, 2017; revised June 16, 2018; accepted June 30, 2018; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor W. Lou. Date of publication July 23, 2018; date of current version August 16, 2018. This work was supported by the National Science Foundation under Grants CNS-1717313, IIP-1758179, and CNS-0953600. Part of the material in this work appears in [1]. (Corresponding author: Zhuotao Liu.) Z. Liu, Y.-C. Hu, and M. Bailey are with the Electrical and Computer Engineering Department, University of Illinois at Urbana–Champaign, Urbana, IL 61801 USA (e-mail: zliu48@illinois.edu; yihchun@illinois.edu; mdbailey@illinois.edu). Funding Information: II. DDOS DEFENSE TODAY Before discussing our proposed system, we first present our study of current status of real-world DDoS attacks and defense. Supported by the NSF Innovation Corps program under grant IIP-1758179, we interviewed more than 100 security engineers/administrators from over ten industrial segments, including hosting companies, financial departments, online gaming providers, military contractors, government institutes, medical foundations, and existing DDoS prevention vendors. To the best of our knowledge, in the research community, this is the first comprehensive study of DDoS prevention from the perspective of security experts that are the first-line DDoS defenders. Our analysis highlights following key observations.

PY - 2018/8

Y1 - 2018/8

N2 - Volumetric attacks, which overwhelm the bandwidth of a destination, are among the most common distributed denial-of-service (DDoS) attacks today. Despite considerable effort made by both research and industry, our recent interviews with over 100 potential DDoS victims in over 10 industry segments indicate that today's DDoS prevention is far from perfect. On one hand, few academical proposals have ever been deployed in the Internet; on the other hand, solutions offered by existing DDoS prevention vendors are not silver bullet to defend against the entire attack spectrum. Guided by such large-scale study of today's DDoS defense, in this paper, we present MiddlePolice, the first readily deployable and proactive DDoS prevention mechanism. We carefully architect MiddlePolice such that it requires no changes from both the Internet core and the network stack of clients, yielding instant deployability in the current Internet architecture. Further, relying on our novel capability feedback mechanism, MiddlePolice is able to enforce destination-driven traffic control so that it guarantees to deliver victim-desired traffic regardless of the attacker strategies. We implement a prototype of MiddlePolice and demonstrate its feasibility via extensive evaluations in the Internet, hardware testbed, and large-scale simulations.

AB - Volumetric attacks, which overwhelm the bandwidth of a destination, are among the most common distributed denial-of-service (DDoS) attacks today. Despite considerable effort made by both research and industry, our recent interviews with over 100 potential DDoS victims in over 10 industry segments indicate that today's DDoS prevention is far from perfect. On one hand, few academical proposals have ever been deployed in the Internet; on the other hand, solutions offered by existing DDoS prevention vendors are not silver bullet to defend against the entire attack spectrum. Guided by such large-scale study of today's DDoS defense, in this paper, we present MiddlePolice, the first readily deployable and proactive DDoS prevention mechanism. We carefully architect MiddlePolice such that it requires no changes from both the Internet core and the network stack of clients, yielding instant deployability in the current Internet architecture. Further, relying on our novel capability feedback mechanism, MiddlePolice is able to enforce destination-driven traffic control so that it guarantees to deliver victim-desired traffic regardless of the attacker strategies. We implement a prototype of MiddlePolice and demonstrate its feasibility via extensive evaluations in the Internet, hardware testbed, and large-scale simulations.

KW - Network security

KW - internet technology

KW - middle-boxes

UR - http://www.scopus.com/inward/record.url?scp=85050387736&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85050387736&partnerID=8YFLogxK

U2 - 10.1109/TNET.2018.2854795

DO - 10.1109/TNET.2018.2854795

M3 - Article

AN - SCOPUS:85050387736

VL - 26

SP - 1948

EP - 1961

JO - IEEE/ACM Transactions on Networking

JF - IEEE/ACM Transactions on Networking

SN - 1063-6692

IS - 4

M1 - 8418343

ER -