TY - JOUR

T1 - An Inter-domain Collaboration Scheme to Remedy DDoS Attacks in Computer Networks

AU - Simpson, Steven

AU - Shirazi, Syed Noorulhassan

AU - Marnerides, Angelos

AU - Jouet, Simon

AU - Pezaros, Dimitrios

AU - Hutchison, David

PY - 2018/9/1

Y1 - 2018/9/1

N2 - Distributed Denial-of-Service (DDoS) attacks continue to trouble network operators and service providers, and with increasing intensity. Effective response to DDoS can be slow (because of manual diagnosis and interaction) and potentially self-defeating (as indiscriminate filtering accomplishes a likely goal of the attacker), and this is the result of the discrepancy between the service provider's flow-based, application-level view of traffic and the network operator's packet-based, network-level view and limited functionality. Furthermore, a network required to take action may be in an Autonomous System (AS) several AS-hops away from the service, so it has no direct relationship with the service on whose behalf it acts. This paper presents Antidose, a means of interaction between a vulnerable peripheral service and an indirectly related AS that allows the AS to confidently deploy local filtering with discrimination under the control of the remote service.We implement the core filtering mechanism of Antidose, and provide an analysis of it to demonstrate that conscious attacks against the mechanism will not expose the AS to additional attacks. We present a performance evaluation to show that the mechanism is operationally feasible in the emerging trend of operators' willingness to increase the programmability of their hardware with SDN technologies such as OpenFlow, as well as to act to mitigate attacks on downstream customers.

AB - Distributed Denial-of-Service (DDoS) attacks continue to trouble network operators and service providers, and with increasing intensity. Effective response to DDoS can be slow (because of manual diagnosis and interaction) and potentially self-defeating (as indiscriminate filtering accomplishes a likely goal of the attacker), and this is the result of the discrepancy between the service provider's flow-based, application-level view of traffic and the network operator's packet-based, network-level view and limited functionality. Furthermore, a network required to take action may be in an Autonomous System (AS) several AS-hops away from the service, so it has no direct relationship with the service on whose behalf it acts. This paper presents Antidose, a means of interaction between a vulnerable peripheral service and an indirectly related AS that allows the AS to confidently deploy local filtering with discrimination under the control of the remote service.We implement the core filtering mechanism of Antidose, and provide an analysis of it to demonstrate that conscious attacks against the mechanism will not expose the AS to additional attacks. We present a performance evaluation to show that the mechanism is operationally feasible in the emerging trend of operators' willingness to increase the programmability of their hardware with SDN technologies such as OpenFlow, as well as to act to mitigate attacks on downstream customers.

KW - Distributed Denial-of-Service

KW - Antidose

KW - mitigation

KW - BPFabric

KW - network security

KW - network resilience

KW - bandwidth saturation attacks

KW - network management

KW - inter-domain collaboration

U2 - 10.1109/TNSM.2018.2828938

DO - 10.1109/TNSM.2018.2828938

M3 - Journal article

VL - 15

SP - 879

EP - 893

JO - IEEE Transactions on Network and Service Management

JF - IEEE Transactions on Network and Service Management

SN - 1932-4537

IS - 3

ER -