DDOS mitigation : A measurement-based approach

Mattijs Jonker is a PhD student in the department of Internet Security. His supervisor is prof.dr.ir. A. Pras from the faculty of Electrical Engineering, Mathematics and Computer Science (EWI) and his co-supervisor is dr. A. Sperotto also from the faculty of Electrical Engineering, Mathematics and Computer Science (EWI).

Society heavily relies upon the Internet for global communications in this day and age. Although core Internet components were designed with resilience in mind, Internet stability and reliability are nowadays continuously subject to deliberate threats. These threats include Denial-of-Service (DoS) attacks, which can potentially be devastating. Numerous notorious attacks underpin the gravity of the DoS threat. And while the DoS problem is by no means new, the number and intensity of attacks have especially over the past years reached unexpected proportions. In terms of sheer attack traffic volume, the bar is continually being raised. Experts argue that the full potential of attacks has not been seen yet, which prompts the question how many record-breaking attacks have yet to reach notoriety in the years to come. As a result of attacks, not only businesses lose hundreds of millions of dollars annually. When it comes to vital infrastructure, national safety and even lives could be at stake. In the face of the evolving DoS threat, effective defenses are an absolute necessity. The upsurge of the DoS problem has prompted not only the development of diverse mitigation solutions, but has also given rise to a booming market for commercial products. Businesses and other prospective users of mitigation solutions find themselves having many shapes and sizes to choose from. The right fit may, however, not always be apparent. In addition, even though diverse solutions are readily available, their deployment and operation may come with hidden hazards that need to be better understood. 

Policy makers and governments also find themselves facing questions concerning what needs to be done to promote cybersafety on a national level. Should we stimulate the market for mitigation solutions? Are there drawbacks to centralization of that market? And can we become too digitally dependent on other countries, especially when it comes to the safety and security of vital infrastructure? Given such questions, developing an optimal course of action to deal with the DoS problem brings about societal challenges that stack further upon technical ones.

Even though the DoS problem is not new, the scale of the problem is still unclear. We do not know exactly what it is we are defending against and getting a better understanding of attacks is essential to addressing the problem head-on. To advance situational awareness, many technical and societal challenges are yet to be tackled. Given the central importance of better understanding the DoS problem to improve overall Internet security, this thesis has three main contributions. First, this thesis rigorously characterizes DoS attacks and attacked targets at scale. Second, this thesis advances knowledge about the Internet-wide adoption, deployment and operational use of various mitigation solutions. Thirdly, this thesis investigates hidden hazards with mitigation solutions that have the potential to hamstring defenses or render mitigation solutions altogether ineffective.

In terms of the first contribution, this thesis reveals the massive scale of the DoS problem. Our analysis of attacks reveals nearly 21 million attacks over a two-year period. We also show that, during the same period, about one-third of all /24 network address blocks estimated to be active on the Internet have been on the receiving end of at least one attack.

When it comes to the second contribution, this thesis investigates two solutions to mitgate attacks: cloud-based protection services and BGP blackholing. We quantify the uptake of protection services and reveal a prominent global trend in adoption. We also investigate the extent to which targets adopt (i.e., migrate to) protection services after having been targeted by a DoS attack. As for BGP blackholing, this thesis investigates various operational aspects in the wild. Our results reveal how blackholing is applied in practice by operators. We show that for nearly 4% of attacks that are mitigated using blackholing, it takes more than 24 hours following the end of the attack for operators to retract the countermeasure. During this time, blackholed hosts are cutoff from the Internet (at least partially). The apparent lack of auto mation in recovery raises concern that hosts as well as services running on them may be cutoff from users unnecessarily. In addition, we unveil that less intenseattacks are also blackholed: in 13% of cases the inferred attack traffic volume is at most 3 M bps. As blackholing effectively brings about a ‘self-inflicted’ DoS, these findings raise the question of how much (or little) effort is required for attackers to get operators to trigger such an extreme countermeasure.Focusing on the third contribution, this thesis investigates, for both mitigation solutions under consideration, hazards that can hamstring DoS defenses. Cloud-based protection services may be bypassed by sophisticated attackers as a result of mistakes in deployment. Mistakes may not be clearly understood by all users, which can lead to a false sense of security. We quantify this drawback on the Internet, focusing on the world’s most popular Web sites, and on leading commercial protection services. Our results underpin the extent of the problem: the protection of 41% of Web sites under consideration can be bypassed. As for blackholing, this thesis takes preliminary steps towards investigating the extent to which hosts are cutoff unnecessarily. We quantify this in terms of common Internet services that run on blackholed hosts.  This thesis will show from its outset that a basic challenge that we are facedwith concerns data. Acquiring and developing diverse (raw) data sources tomethodologically study the DoS problem constitutes a challenge. While thisthesis comes a long way by systematically fusing data sources, future research,the research community and, more generally speaking, society, stand to benefitfrom improvements in data sharing. For this reason, this thesis also calls for structural improvements in data sharing.