Towards a Distributed Reputation-based DDoS Mitigation Architecture

Denial of service (DoS) attacks are attempts by attackers to prevent legitimate users from accessing connected services through the disconnection, corruption or malicious consumption of the resources upon which the victim service depends. Distributed denial of service attacks (DDoS) are a form of DoS attacks that are executed by multiple distributed agents. Since their first documentation more than two decades ago, DDoS attacks have consistently grown, year-on-year, in magnitude and prevalence to become recognized by Internet service providers (ISPs) as the top operational threat to customers. This threat, however, is compounded by the phenomenon of the Internet of things (IoT), which has inadvertently contributed to growing botnet sizes and resulting attack strengths through an abundant supply of connected yet unsecured devices.

Flood attacks, such as the notorious 1.2 Tbps attack against DNS provider DYN in which DoS was achieved through the scale of data sent, are particularly challenging to deal with. This is because, even if the victim server is able to process requests at its Internet access line rate, the finite resources (routers) along the attack-path eventually reach their capacity to forward received data and, once that limit is exceeded, are no longer able to forward all incoming legitimate requests.

The state of the art in handling such attacks, involves enlarging the victim resources (server and router processing power and bandwidths) to increase the capacity of the victim to serve clients. However, the cost of doing so, combined with the rate of increasing attack strengths, has led researchers to conclude that bolstering victim resources, as a means to defending against DDoS attacks, is not sustainable.
If attack traffic were to be intercepted further away from its destination, the victim would be far less susceptible to DoS. However, earlier interception requires the ability of intermediary network devices (routers) to reliably identify and eliminate such traffic. This is a challenge since the traditional classification of traffic as malicious is difficult to achieve outside the context of victim-centric information (such as what constitutes "wanted" or "normal" to the victim) and especially if the malicious entity mimics legitimate traffic patterns.
One of the main goals of this research project is to design one such defence that leverages collaboratively maintained reputations to discriminate between malicious and benign traffic closer to their source. The performance of this defence, currently named DiDoS (for Distributed Defence of Service) is to be empirically validated by means of measuring its effectiveness in identifying malicious sources and alleviating the detrimental effects that a DDoS attack inflicts on an end user. The selected software for these experiments is NS-3 (Network Simulator 3) for many reasons including its opensource customizability and ability to simulate large networks.
Another goal of this research project is to construct a method through which DDoS defences can be effectively compared. This approach, currently called CED3 (Comparative Evaluation of DDoS Defences), leverages inductive reasoning to build on prior DDoS evaluation work in the literature. Spurring from an induced principle of theoretical subversion, CED3 proposes a technique that enables systematic evaluation and granular comparison of DDoS defences in an attacker agnostic manner. In order to assess the effectiveness and suitability of CED3 as an option for universal DDoS defence evaluation, CED3 is to be applied to notable DDoS defences. Additionally, CED3 is to be applied to DiDoS, in order to gauge its relative effectiveness.

This project falls within the EPSRC Safe and Secure ICT research area. Since networks vulnerable to DDoS attacks underpin the digital economy, this research project has potential implications on the EPSRC Digital Economy research area also.

It is part of the nature of Cyber Security - and a key reason for the urgency in developing new research approaches - that it now is a concern of every section of society, and so the successful CDT will have a very broad impact indeed. We will ensure impact for:

* The IT industry; vendors of hardware and software, and within this the IT Security industry;

* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;

* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;

* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;

* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;

* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.

Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.