Trustworthy DDoS Defense: Design, Proof of Concept Implementation and Testing

Mohamad Samir A. EID  Hitoshi AIDA  

Publication
IEICE TRANSACTIONS on Information and Systems   Vol.E100-D   No.8   pp.1738-1750
Publication Date: 2017/08/01
Publicized: 2017/05/18
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2016ICP0024
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Internet Security
Keyword: 
Distributed Denial of Service (DDoS) attacks,  application level attacks,  network security,  overlay networks,  

Full Text: PDF>>
Buy this Article




Summary: 
Distributed Denial of Service (DDoS) attacks based on HTTP and HTTPS (i.e., HTTP(S)-DDoS) are increasingly popular among attackers. Overlay-based mitigation solutions attract small and medium-sized enterprises mainly for their low cost and high scalability. However, conventional overlay-based solutions assume content inspection to remotely mitigate HTTP(S)-DDoS attacks, prompting trust concerns. This paper reports on a new overlay-based method which practically adds a third level of client identification (to conventional per-IP and per-connection). This enhanced identification enables remote mitigation of more complex HTTP(S)-DDoS categories without content inspection. A novel behavior-based reputation and penalty system is designed, then a simplified proof of concept prototype is implemented and deployed on DeterLab. Among several conducted experiments, two are presented in this paper representing a single-vector and a multi-vector complex HTTP(S)-DDoS attack scenarios (utilizing LOIC, Slowloris, and a custom-built attack tool for HTTPS-DDoS). Results show nearly 99.2% reduction in attack traffic and 100% chance of legitimate service. Yet, attack reduction decreases, and cost in service time (of a specified file) rises, temporarily during an approximately 2 minutes mitigation time. Collateral damage to non-attacking clients sharing an attack IP is measured in terms of a temporary extra service time. Only the added identification level was utilized for mitigation, while future work includes incorporating all three levels to mitigate switching and multi-request per connection attack categories.