DDoS Defense

AsiaCCS 2020

In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection

In this paper, we introduce a new, offer-based operational model for in-network DDoS defense and formulate the NP-hard rule selection problem for this model. We then design an algorithm that overcomes the fundamental limitations of the classical ACO framework and transform it with several key changes to make it applicable to the domain of in-network DDoS defense. Finally, we use a real-world Internet routing topology and two real-world DDoS traces, along with one synthetic trace that follows the attack distribution of the recent Mirai DDoS attack, to evaluate the efficacy and runtime of our algorithm against four other rule selection algorithms, and show our algorithm is near-optimal.

CSET 2020

Bridging Missing Gaps in Evaluating DDoS Research

In this work, we elaborate on the critical missing gaps in DDoS defense evaluation and propose a new evaluation platform to help produce the missing defense analytics. To identify the impact of a defense solution in realistic network settings, our platform offers to emulate a mini Internet topology with realistic IP address space allocation and generate representational, closed-loop background traffic specific to particular networks. As such, our platform fulfills the prominent missing gaps in current DDoS research. In the end, we conduct some experiments to demonstrate the correctness and efficiency of our platform.

PAM 2020

POSTER: Playing in the Sandbox: A Step Towards Sound DDoS Research Through High-Fidelity Evaluation

This paper is the poster version of Bridging Missing Gaps in Evaluating DDoS Research (CSET 2020). This poster paper introduced the world to our Sandbox.

ACSAC 2019

POSTER: The Catch-22 Attack

In this work, we introduce the Catch-22 attack, a distributed denial-of-service (DDoS) link-flooding attack that exploits real-world limitations of DDoS defense. An attacker in the Catch-22 attack leverages virtual private server (VPS) providers and residential proxy services as vehicles for assembling a botnet, and employs moving target attack techniques to not only maximize the amount of strain on DDoS defense, but also maximize the amount of collateral damage incurred by attacked networks, thereby wreaking havoc on wide swaths of the Internet. In fact, according to our preliminary evaluation, the Catch-22 attack can cause significant collateral damage to over thousands of websites from a major VPS provider. To the best of our knowledge, no existing work has yet to present a solution for such an attack, let alone study it.

IM 2019

On Multi-Point, In-Network Filtering of Distributed Denial-of-Service Traffic

In this paper, we model the existing two main categories of in-network DDoS defense algorithms (PushBack, SourceEnd) and propose a new type of algorithm (StrategicPoints). In particular, we compare their effectiveness in minimizing the amount of DDoS traffic that the victim receives, their impact on reducing the DDoS traffic on the entire Internet, and their resiliency against intelligent adversaries and dynamic attacks. We detail how the comparison results vary according to parameters and provide our insights on the pros and cons of these three categories of in-network DDoS defense solutions.

ICCCN 2018

FR-WARD: Fast Retransmit as a Wary but Ample Response to Distributed Denial-of-Service Attacks from the Internet of Things

We present FR-WARD, a system that defends against DDoS attacks launched from an IoT network. FR-WARD operates close to potential attack sources at the gateway of an IoT network and drops packets to throttle any DDoS traffic that attempts to leave the IoT network. However, in order to properly react to traffic too difficult to categorically label as good or bad, FR-WARD employs a novel response based on the fast retransmit and flow control mechanisms of the Transmission Control Protocol (TCP) which minimizes the energy consumption and network latency of benign IoT devices within the policed network.