Distributed ddos defense: A collaborative approach at internet scale
Jessica Steinberger is a PhD student in the Design and Analysis of Communication Systems group, her supervisor is prof.dr.ir. A. Pras from the Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) and prof.dr.rer.nat. H. Baier from the Darmstadt University
The Internet has evolved to a vital component that heavily influences our daily life. Large majorities of users rely on the Internet on a regular basis for financial services, shopping, and other customer services. In addition, the Internet has become a crucial component for millions of businesses, stock markets, public facilities and transportation hubs, power grids and water delivery systems.
In recent years, large-scale cyber attacks targeting the availability of network infrastructure and service have been constantly reported and could lead to enormous financial loss, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.
One type of large-scale cyber attacks are Distributed Denial of Service (DDoS) attacks that still remain the top concern responsible for network infrastructure and service outages. The reason is that DDoS attacks are getting larger, more sophisticated (e.g. multi-vector attacks) and frequent.
At the same time it has never been easier to execute DDoS attacks, e.g., Booter services offer paying customers without any technical knowledge the possibility to perform DDoS attacks as a service via a web page. Besides Booter services, it is also possible to hire a whole botnet (e.g., hire-a-botnet-services) for a DDoS campaign at low price. Moreover, new technology trends in the development of the Internet such as Internet of Things (IoT) focus to connect billions of everyday devices. These devices are designed to be user-friendly and accessible and often do not have a stringent security standard. Currently, $4.9$ billion IoT units are in use and will reach $25$ billion by $2020$. However, the lack of security standards, the ease of manipulation and the amount of available everyday devices encourage attackers to perform large-scale DDoS attacks.
Given the attack intensities and effects caused by DDoS attacks, we believe that Internet Service Providers (ISPs) should collaborate to optimize mitigation and their response capabilities and thus reduce potential damages caused by DDoS attacks. The main research goal of this thesis is to develop a collaborative, automated approach to mitigate the effects of DDoS attacks at Internet Scale. This thesis has the following main contributions: i) we performed a systematic and multifaceted study on mitigation of large-scale cyber attacks at ISPs in order to gain insight into current processes, structures and their mitigation capabilities. ii) We provided a detailed guidance selecting an exchange format and protocol suitable to use in an ISP network to disseminate threat information. iii) To overcome the shortcomings of missing flow-based interoperability of current exchange formats, we developed the exchange format Flow-based Event Exchange Format (FLEX). iv) In order to perform distributed DDoS defense, we developed a communication process to facilitate the automated defense in response to ongoing network-based attacks. v) In addition to the communication process, we developed a model to select and perform a semi-automatic deployment of suitable response actions. vi) We investigate the effectiveness of the defense techniques moving-target using Software Defined Networking (SDN) and their applicability in context of large-scale cyber attacks and the networks of ISPs. Finally, we developed a trust model that determines a trust and a knowledge level of a security event in order to deploy semi-automated remediations and facilitate the dissemination of security event information using the exchange format FLEX in context of ISP networks.
Our evaluations have shown that the contributions in this thesis can be used by network administrators, network operators and networks security engineers to better limit the effects of current and future DDoS attacks and thus prevent network infrastructure and service outages.
Finally, all source code and used data that forms the basis of our research results used within this thesis has value for the research community and was made publicly available in github (\url{https://github.com/jesstei/MiR}) to overcome closed source and system dependency of this research domain. This provides the possibility that future research builds upon the results of this thesis.
