skip to main content
10.1145/3460120.3484737acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Deterrence of Intelligent DDoS via Multi-Hop Traffic Divergence

Published: 13 November 2021 Publication History

Abstract

We devise a simple, provably effective, and readily usable deterrence against intelligent, unknown DDoS threats: Demotivate adversaries to launch attacks via multi-hop traffic divergence. This new strategy is motivated by the fact that existing defenses almost always lag behind numerous emerging DDoS threats and evolving intelligent attack strategies. The root cause is if adversaries are smart and adaptive, no single-hop defenses (including optimal ones) can perfectly differentiate unknown DDoS and legitimate traffic. Instead, we formulate intelligent DDoS as a game between attackers and defenders, and prove how multi-hop traffic divergence helps bypass this dilemma by reversing the asymmetry between attackers and defenders. This insight results in EID, an Economical Intelligent DDoS Demotivation protocol. EID combines local weak (yet divergent) filters to provably null attack gains without knowing exploited vulnerabilities or attack strategies. It incentivizes multi-hop defenders to cooperate with boosted local service availability. EID is resilient to traffic dynamics and manipulations. It is readily deployable with random-drop filters in real networks today. Our experiments over a 49.8 TB dataset from a department at the Tsinghua campus network validate EID's viability against rational and irrational DDoS with negligible costs.

References

[1]
Frank Li and Vern Paxson. A large-scale empirical study of security patches. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 2201--2215, 2017.
[2]
Frederico Araujo, Kevin W Hamlen, Sebastian Biedermann, and Stefan Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security (CCS), pages 942--953, 2014.
[3]
Cloudflare. The largest DDoS attacks of all time. https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/, 2020.
[4]
WIRED. A 1.3-Tbs DDoS Hit GitHub, the Largest Yet Recorded. https://www.wired.com/story/github-ddos-memcached, 2018.
[5]
A10. Five Most Famous DDoS Attacks and Then Some. https://www.a10networks.com/blog/5-most-famous-ddos-attacks/, 2020.
[6]
Cloudflare. DDoS attack trends for Q4 2020. https://blog.cloudflare.com/network-layer-ddos-attack-trends-for-q4--2020/, Jan 2021.
[7]
Cloudflare. DDoS attack trends for Q3 2020. https://blog.cloudflare.com/network-layer-ddos-attack-trends-for-q3--2020/, Nov 2020.
[8]
China Telecom. DDoS Attack Landscape in 2019. https://www.nsfocus.com.cn/index.php?m=content&c=index&a=show&catid=222&id=162&template=download, 2020.
[9]
MSSP Alert. Kaspersky Lab Study: Average Cost of Enterprise DDoS Totals $2M. https://www.msspalert.com/cybersecurity-research/kaspersky-lab-study-average-cost-of-enterprise-ddos-attack-totals-2m/, 2018.
[10]
Paul Ferguson and Daniel Senie. rfc2827: network ingress filtering: defeating denial of service attacks which employ ip source address spoofing, 2000.
[11]
Abraham Yaar, Adrian Perrig, and Dawn Song. Stackpi: New packet marking and filtering mechanisms for ddos and ip spoofing defense. IEEE Journal on Selected Areas in Communications, 24(10):1853--1863, 2006.
[12]
Abraham Yaar, Adrian Perrig, and Dawn Song. Siff: A stateless internet flow filter to mitigate ddos flooding attacks. In IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004, pages 130--143. IEEE, 2004.
[13]
Xin Liu, Xiaowei Yang, and Yong Xia. Netfence: preventing internet denial of service from inside out. ACM SIGCOMM Computer Communication Review, 40(4):255--266, 2010.
[14]
Jianping Wu, Jun Bi, Marcelo Bagnulo, Fred Baker, and Christian Vogt. Source address validation improvement (savi) framework. RFC7039, 2013.
[15]
Xin Liu Ang Li Xiaowei Yang and David Wetherall. Passport: Secure and adoptable source authentication. In USENIX NSDI, 2008.
[16]
Fernando Silveira, Christophe Diot, Nina Taft, and Ramesh Govindan. Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM Computer Communication Review, 40(4):267--278, 2010.
[17]
Anukool Lakhina, Mark Crovella, and Christophe Diot. Diagnosing network-wide traffic anomalies. ACM SIGCOMM computer communication review, 34(4):219--230, 2004.
[18]
Mohiuddin Ahmed, Abdun Naser Mahmood, and Jiankun Hu. A survey of network anomaly detection techniques. Journal of Network and Computer Applications, 60:19--31, 2016.
[19]
Giovane CM Moura, Ricardo de O Schmidt, John Heidemann, Wouter B de Vries, Moritz Muller, Lan Wei, and Cristian Hesselman. Anycast vs. ddos: Evaluating the november 2015 root dns event. In Proceedings of the 2016 Internet Measurement Conference, pages 255--270, 2016.
[20]
Cloudflare. How Anycast mitigates DDoS attacks. https://www.cloudflare.com/learning/cdn/glossary/anycast-network/, 2021.
[21]
Shui Yu, Wanlei Zhou, Robin Doss, and Weijia Jia. Traceback of ddos attacks using entropy variations. IEEE transactions on parallel and distributed systems, 22(3):412--425, 2010.
[22]
Jun Li, Minho Sung, Jun Xu, and Li Li. Large-scale ip traceback in high-speed internet: Practical techniques and theoretical foundation. In IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004, pages 115--129. IEEE, 2004.
[23]
David Barrera, Laurent Chuat, Adrian Perrig, Raphael M Reischuk, and Pawel Szalachowski. The scion internet architecture. Communications of the ACM, 60(6):56--65, 2017.
[24]
Andersen, David G and Balakrishnan, Hari and Feamster, Nick and Koponen, Teemu and Moon, Daekyeong and Shenker, Scott. Accountable Internet Protocol (AIP). In ACM SIGCOMM Computer Communication Review, volume 38, pages 339--350. ACM, 2008.
[25]
David Naylor, Matthew K Mukerjee, and Peter Steenkiste. Balancing Accountability and Privacy in the Network. In ACM SIGCOMM Computer Communication Review, volume 44, pages 75--86. ACM, 2014.
[26]
Xiaowei Yang, David Wetherall, and Thomas Anderson. A DoS-limiting network architecture. ACM SIGCOMM Computer Communication Review, 35(4):241--252, 2005.
[27]
Akamai Cloud Security for DDoS Protection. https://www.akamai.com/us/en/products/security/ddos-protection-service.jsp, 2021.
[28]
Amazon AWS Shield. https://aws.amazon.com/shield/, 2021.
[29]
CPO. IoT-based DDoS attacks are growing and making use of common vulnerabilities. https://www.cpomagazine.com/cyber-security/iot-based-ddos-attacks-are-growing-and-making-use-of-common-vulnerabilities/, 2020.
[30]
Alibaba Cloud. Pricing for DDoS protection. https://cn.aliyun.com/price/detail/ddos, 2021.
[31]
Networkworld. The rise of artificial intelligence DDoS attacks. https://www.networkworld.com/article/3289108/the-rise-of-artificial-intelligence-ddos-attacks.html.
[32]
Ian J Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. Generative adversarial networks. arXiv preprint arXiv:1406.2661, 2014.
[33]
Martin Arjovsky, Soumith Chintala, and Léon Bottou. Wasserstein generative adversarial networks. In International Conference on Machine Learning (ICML), pages 214--223. PMLR, 2017.
[34]
Yebo Feng, Jun Li, and Thanh Nguyen. Application-layer ddos defense with reinforcement learning. In 2020 IEEE/ACM 28th International Symposium on Quality of Service (IWQoS), pages 1--10. IEEE, 2020.
[35]
Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker. DDoS Defense by Offense. In Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, pages 303--314, 2006.
[36]
Wikipedia. f-divergence. https://en.wikipedia.org/wiki/F-divergence, 2021.
[37]
Jörgen W Weibull. Evolutionary game theory. MIT press, 1997.
[38]
Herbert Gintis. Game theory evolving. Princeton university press, 2009.
[39]
CNCERT. DDoS Attack Trend Report in China: 2020 Q1. https://www.cert.org.cn/publish/main/upload/File/DDoS2020--1.pdf, 2020.
[40]
Alibaba Cloud and FreeBuf. DDoS Trend Report in 2020 Q1 and Q2. https://www.calder-systems.com/articles/paper/249963.html, 2020.
[41]
Armor. Cybercrime-as-a-Service: Selling DDoS on the Dark Web. https://www.armor.com/resources/blog/cybercrime-as-a-service-selling-ddos-dark-web/, 2018.
[42]
Radware. Malware and Botnet Attack Services Found on the Darknet. https://blog.radware.com/security/2016/07/malware-and-botnet-attack-services-found-on-the-darknet/, 2016.
[43]
Mission Critical. The Dark Web: DDoS Attacks Sell for as Low as $10 per Hour. https://www.missioncriticalmagazine.com/articles/93185-the-dark-web-ddos-attacks-sell-for-as-low-as-10-per-hour, 2020.
[44]
Mohammad Karami and Damon McCoy. Understanding the emerging threat of ddos-as-a-service. In 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats), 2013.
[45]
José Jair Santanna and Anna Sperotto. Characterizing and mitigating the ddos-as-a-service phenomenon. In IFIP International Conference on Autonomous Infrastructure, Management and Security, pages 74--78. Springer, 2014.
[46]
José Jair Santanna, Roland van Rijswijk-Deij, Rick Hofstede, Anna Sperotto, Mark Wierbosch, Lisandro Zambenedetti Granville, and Aiko Pras. Booters: An analysis of ddos-as-a-service attacks. In 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pages 243--251. IEEE, 2015.
[47]
Christian Rossow. Amplification hell: Revisiting network protocols for ddos abuse. In NDSS, 2014.
[48]
Kührer, Marc and Hupperich, Thomas and Rossow, Christian and Holz, Thorsten. Exit from Hell: Reducing the Impact of Amplification DDoS Attacks. In 23rd USENIX Security Symposium, pages 111--125, 2014.
[49]
Aleksandar Kuzmanovic and Edward W Knightly. Low-rate tcp-targeted denial of service attacks and counter strategies. IEEE/acm transactions on networking, 14(4):683--696, 2006.
[50]
Mina Guirguis, Azer Bestavros, Ibrahim Matta, and Yuting Zhang. Reduction of quality (roq) attacks on internet end-systems. In Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies., volume 2, pages 1362--1372. IEEE, 2005.
[51]
Soo-Jin Moon, Yucheng Yin, Rahul Anand Sharma, Yifei Yuan, Jonathan M Spring, and Vyas Sekar. Accurately measuring global risk of amplification attacks using ampmap. In 30th $$USENIX$$ Security Symposium ($$USENIX$$ Security 21), 2021.
[52]
Vern Paxson. An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Computer Communication Review, 31(3):38--47, 2001.
[53]
Marianne Shaw. Leveraging good intentions to reduce unwanted network traffic. In Proc. USENIX Steps to Reduce Unwanted Traffic on the Internet workshop, page 8, 2006.
[54]
Sebastian Nowozin, Botond Cseke, and Ryota Tomioka. f-GAN: Training Generative Neural Samplers using Variational Divergence Minimization. arXiv preprint arXiv:1606.00709, 2016.
[55]
Wikipedia. Deepfake. https://en.wikipedia.org/wiki/Deepfake, 2021.
[56]
Eric Osterweil, Angelos Stavrou, and Lixia Zhang. 21 years of distributed denial-of service: Current state of affairs. Computer, 53(7):88--92, 2020.
[57]
Eric Osterweil, Angelos Stavrou, and Lixia Zhang. 21 years of distributed denial-of-service: A call to action. Computer, 53(8):94--99, 2020.
[58]
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. In ICLR, 2015.
[59]
Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (S&P), pages 39--57. IEEE, 2017.
[60]
Mattijs Jonker, Alistair King, Johannes Krupp, Christian Rossow, Anna Sperotto, and Alberto Dainotti. Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Proceedings of the 2017 Internet Measurement Conference (IMC), pages 100--113, 2017.
[61]
NVIDIA Mellanox BlueField-2 Data Processing Unit (DPU). https://www.mellanox.com/files/doc-2020/pb-bluefield-2-dpu.pdf, 2020.
[62]
Pensando DSC-25 Distributed Services Card. https://pensando.io/wp-content/uploads/2020/03/Pensando-DSC-25-Product-Brief.pdf, 2020.
[63]
Cisco. Configuring Weighted Random Early Detection. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_conavd/configuration/xe-16/qos-conavd-xe-16-book/qos-conavd-cfg-wred.html, 2018.
[64]
Juniper. Managing Congestion Using RED Drop Profiles and Packet Loss Priorities. https://www.juniper.net/documentation/us/en/software/junos/cos/topics/concept/red-drop-profile-overview-cos-config-guide.html, 2021.
[65]
Palo Alto Networks (PAN) OS Administrator's Guide (v8.1). https://docs.paloaltonetworks.com/pan-os/8--1/pan-os-admin.html, 2021.
[66]
Palo Alto Networks. PA-7000 Series Datasheet. https://www.paloaltonetworks.com/resources/datasheets/pa-7000-series, 2021.
[67]
Alibaba cloud HoneyPot. https://help.aliyun.com/document_detail/196044.html, 2021.
[68]
CISA. TA14-017A: UDP-Based Amplification Attacks. https://us-cert.cisa.gov/ncas/alerts/TA14-017A, 2014.
[69]
Kaspersky. Criminal Benefits: Profit Margin of a DDoS Attack Can Reach 95%. https://www.kaspersky.com/about/press-releases/2017_criminal-benefits, 2017.
[70]
Sourcelist. The cost of launching a DDoS attack. https://securelist.com/the-cost-of-launching-a-ddos-attack/77784/, 2017.
[71]
Avi Yaar, Adrian Perrig, and Dawn Song. An endhost capability mechanism to mitigate ddos flooding attacks. In Proceedings of the IEEE Symposium on Security and Privacy, 2004.
[72]
Saman Taghavi Zargar, James Joshi, and David Tipper. A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks. IEEE communications surveys & tutorials, 15(4):2046--2069, 2013.
[73]
Jelena Mirkovic and Peter Reiher. A taxonomy of ddos attack and ddos defense mechanisms. ACM SIGCOMM Computer Communication Review, 34(2):39--53, 2004.
[74]
Mattijs Jonker, Anna Sperotto, Roland van Rijswijk-Deij, Ramin Sadre, and Aiko Pras. Measuring the Adoption of DDoS Protection Services. In Proceedings of the 2016 Internet Measurement Conference (IMC), pages 279--285, 2016.
[75]
Xinzhe Fu and Eytan Modiano. Fundamental limits of volume-based network dos attacks. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 3(3):1--36, 2019.
[76]
Ratul Mahajan, Steven M Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. Controlling high bandwidth aggregates in the network. ACM SIGCOMM Computer Communication Review, 32(3):62--73, 2002.
[77]
Cristina Basescu, Raphael M Reischuk, Pawel Szalachowski, Adrian Perrig, Yao Zhang, Hsu-Chun Hsiao, Ayumu Kubota, and Jumpei Urakawa. SIBRA: Scalable Internet Bandwidth Reservation Architecture. In NDSS, 2016.
[78]
Abraham Yaar, Adrian Perrig, and Dawn Song. Pi: A path identification mechanism to defend against ddos attacks. In 2003 Symposium on Security and Privacy, 2003., pages 93--107. IEEE, 2003.
[79]
Minho Sung and Jun Xu. Ip traceback-based intelligent packet filtering: A novel technique for defending against internet ddos attacks. IEEE Transactions on parallel and Distributed Systems, 14(9):861--872, 2003.
[80]
Zhuotao Liu, Hao Jin, Yih-Chun Hu, and Michael Bailey. Middlepolice: Toward enforcing destination-defined policies in the middle of the internet. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1268--1279, 2016.
[81]
Vasileios Giotsas, Georgios Smaragdakis, Christoph Dietzel, Philipp Richter, Anja Feldmann, and Arthur Berger. Inferring BGP Blackholing Activity in the Internet. In Proceedings of the 2017 Internet Measurement Conference (IMC), pages 1--14, 2017.
[82]
Xin Zhang, Hsu-Chun Hsiao, Geoffrey Hasker, Haowen Chan, Adrian Perrig, and David G Andersen. Scion: Scalability, control, and isolation on next-generation networks. In 2011 IEEE Symposium on Security and Privacy, pages 212--227. IEEE, 2011.
[83]
Van Jacobson, Diana K Smetters, James D Thornton, Michael F Plass, Nicholas H Briggs, and Rebecca L Braynard. Networking named content. In Proceedings of the 5th international conference on Emerging networking experiments and technologies, pages 1--12, 2009.
[84]
Paolo Gasti, Gene Tsudik, Ersin Uzun, and Lixia Zhang. DoS and DDoS in Named Data Networking. In Proceedings of 22nd International Conference on Computer Communications and Networks (ICCCN), July/August 2013.
[85]
Dongsu Han, Ashok Anand, Fahad Dogar, Boyan Li, Hyeontaek Lim, Michel Machado, Arvind Mukundan, Wenfei Wu, Aditya Akella, David G Andersen, et al. XIA: Efficient Support for Evolvable Internetworking. In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI'12), pages 309--322, 2012.
[86]
Sajjad Arshad, Maghsoud Abbaspour, Mehdi Kharrazi, and Hooman Sanatkar. An anomaly-based botnet detection approach for identifying stealthy botnets. In 2011 IEEE International Conference on Computer Applications and Industrial Electronics (ICCAIE), pages 564--569. IEEE, 2011.
[87]
Aleksandar Lazarevic, Levent Ertoz, Vipin Kumar, Aysel Ozgur, and Jaideep Srivastava. A comparative study of anomaly detection schemes in network intrusion detection. In Proceedings of the 2003 SIAM international conference on data mining, pages 25--36. SIAM, 2003.
[88]
Monowar H Bhuyan, Dhruba Kumar Bhattacharyya, and Jugal K Kalita. Network anomaly detection: methods, systems and tools. Ieee communications surveys & tutorials, 16(1):303--336, 2013.
[89]
Eric Liang, Hang Zhu, Xin Jin, and Ion Stoica. Neural packet classification. In Proceedings of the ACM Special Interest Group on Data Communication, pages 256--269. 2019.
[90]
Rohan Doshi, Noah Apthorpe, and Nick Feamster. Machine learning ddos detection for consumer internet of things devices. In 2018 IEEE Security and Privacy Workshops (SPW), pages 29--35. IEEE, 2018.
[91]
Sankardas Roy, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, Vivek Shandilya, and Qishi Wu. A survey of game theory as applied to network security. In 2010 43rd Hawaii International Conference on System Sciences, pages 1--10. IEEE, 2010.
[92]
Sivaramakrishnan Ramanathan, Jelena Mirkovic, Minlan Yu, and Ying Zhang. SENSS Against Volumetric DDoS Attacks. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC), pages 266--277, 2018.
[93]
Benjamin Johnson, Aron Laszka, Jens Grossklags, Marie Vasek, and Tyler Moore. Game-theoretic analysis of ddos attacks against bitcoin mining pools. In International Conference on Financial Cryptography and Data Security, pages 72--86. Springer, 2014.
[94]
Theodoros Spyridopoulos, G Karanikas, Theodore Tryfonas, and Georgios Oikonomou. A game theoretic defence framework against dos/ddos cyber attacks. Computers & Security, 38:39--50, 2013.
[95]
Wikipedia. Karush-Kuhn-Tucker (KKT) conditions. https://en.wikipedia.org/wiki/Karush-Kuhn-Tucker_conditions, 2021.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
November 2021
3558 pages
ISBN:9781450384544
DOI:10.1145/3460120
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. adversarial machine learning
  2. cyber security economics
  3. game theory
  4. intelligent ddos
  5. random drop
  6. traffic divergence

Qualifiers

  • Research-article

Funding Sources

Conference

CCS '21
Sponsor:
CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security
November 15 - 19, 2021
Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 388 of 2,273 submissions, 17%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)158
  • Downloads (Last 6 weeks)14
Reflects downloads up to 16 Jan 2025

Other Metrics

Citations

Cited By

View all

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media