Catch Me If You Can: A Cloud-Enabled DDoS Defense
Title | Catch Me If You Can: A Cloud-Enabled DDoS Defense |
Publication Type | Conference Paper |
Year of Publication | 2014 |
Authors | Quan Jia, Huangxin Wang, Fleck, D., Fei Li, Stavrou, A., Powell, W. |
Conference Name | Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on |
Date Published | June |
Keywords | Amazon EC2, attack dilution strategies, attack mitigation, client-server systems, client-to-server reassignment plans, cloud, cloud computing, cloud-enabled DDoS defense, computational distributed denial-of-service attacks, Computer architecture, Computer crime, computer network security, DDoS, intelligent client reassignment, Internet services, IP networks, large-scale DDoS attacks, moving target defense, moving target mechanism, moving targets, network attacks, optimal reassignment strategy, Servers, Shuffling, shuffling mechanism, system architecture, turning victim servers, Web and internet services |
Abstract | We introduce a cloud-enabled defense mechanism for Internet services against network and computational Distributed Denial-of-Service (DDoS) attacks. Our approach performs selective server replication and intelligent client re-assignment, turning victim servers into moving targets for attack isolation. We introduce a novel system architecture that leverages a "shuffling" mechanism to compute the optimal re-assignment strategy for clients on attacked servers, effectively separating benign clients from even sophisticated adversaries that persistently follow the moving targets. We introduce a family of algorithms to optimize the runtime client-to-server re-assignment plans and minimize the number of shuffles to achieve attack mitigation. The proposed shuffling-based moving target mechanism enables effective attack containment using fewer resources than attack dilution strategies using pure server expansion. Our simulations and proof-of-concept prototype using Amazon EC2 [1] demonstrate that we can successfully mitigate large-scale DDoS attacks in a small number of shuffles, each of which incurs a few seconds of user-perceived latency. |
DOI | 10.1109/DSN.2014.35 |
Citation Key | 6903585 |
- Internet services
- Web and internet services
- turning victim servers
- system architecture
- shuffling mechanism
- Shuffling
- Servers
- optimal reassignment strategy
- network attacks
- moving targets
- moving target mechanism
- moving target defense
- large-scale DDoS attacks
- IP networks
- Amazon EC2
- intelligent client reassignment
- DDoS
- computer network security
- Computer crime
- computer architecture
- computational distributed denial-of-service attacks
- cloud-enabled DDoS defense
- Cloud Computing
- cloud
- client-to-server reassignment plans
- client-server systems
- attack mitigation
- attack dilution strategies