Distributed Denial of Service Attack Prevention at Source Machines
Title | Distributed Denial of Service Attack Prevention at Source Machines |
Publication Type | Conference Paper |
Year of Publication | 2018 |
Authors | Misono, Masanori, Yoshida, Kaito, Hwang, Juho, Shinagawa, Takahiro |
Conference Name | 2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech) |
Publisher | IEEE |
ISBN Number | 978-1-5386-7518-2 |
Keywords | arbitrary packet transmissions, attack packets, Berkeley packet filter, BitVisor, composability, Computer crime, computer network security, configurable packet filtering mechanism, DDoS Attack, DDoS Attack Prevention, distributed denial of service attack prevention, filtering policy, flexible DDoS attack prevention scheme, guaranteed safe code execution mechanism, Hardware, hijacked machines, Human Behavior, hypervisor, Internet, lightweight DDoS attack prevention scheme, Metrics, operating system, packet transmission suppression, particle filtering (numerical methods), pubcrawl, reliability, reliable DDoS attack prevention scheme, resilience, Resiliency, security, Servers, source machines, thin hypervisor, throughput overhead, transparent DDoS attack prevention scheme, user experience avoidance, Virtual machine monitors, virtual machines, virtualisation, virtualization, virtualization overhead reduction |
Abstract | Distributed denial of service (DDoS) attacks is a serious cyberattack that exhausts target machine's processing capacity by sending a huge number of packets from hijacked machines. To minimize resource consumption caused by DDoS attacks, filtering attack packets at source machines is the best approach. Although many studies have explored the detection of DDoS attacks, few studies have proposed DDoS attack prevention schemes that work at source machines. We propose a reliable, lightweight, transparent, and flexible DDoS attack prevention scheme that works at source machines. In this scheme, we employ a hypervisor with a packet filtering mechanism on each managed machine to allow the administrator to easily and reliably suppress packet transmissions. To make the proposed scheme lightweight and transparent, we exploit a thin hypervisor that allows pass-through access to hardware (except for network devices) from the operating system, thereby reducing virtualization overhead and avoiding compromising user experience. To make the proposed scheme flexible, we exploit a configurable packet filtering mechanism with a guaranteed safe code execution mechanism that allows the administrator to provide a filtering policy as executable code. In this study, we implemented the proposed scheme using BitVisor and the Berkeley Packet Filter. Experimental results show that the proposed scheme can suppress arbitrary packet transmissions with negligible latency and throughput overhead compared to a bare metal system without filtering mechanisms. |
URL | https://ieeexplore.ieee.org/document/8511939 |
DOI | 10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00096 |
Citation Key | misono_distributed_2018 |
- source machines
- operating system
- packet transmission suppression
- particle filtering (numerical methods)
- pubcrawl
- Reliability
- reliable DDoS attack prevention scheme
- resilience
- Resiliency
- security
- Servers
- Metrics
- thin hypervisor
- throughput overhead
- transparent DDoS attack prevention scheme
- user experience avoidance
- Virtual machine monitors
- virtual machines
- virtualisation
- Virtualization
- virtualization overhead reduction
- distributed denial of service attack prevention
- attack packets
- Berkeley packet filter
- BitVisor
- composability
- Computer crime
- computer network security
- configurable packet filtering mechanism
- DDoS Attack
- DDoS Attack Prevention
- arbitrary packet transmissions
- filtering policy
- flexible DDoS attack prevention scheme
- guaranteed safe code execution mechanism
- Hardware
- hijacked machines
- Human behavior
- hypervisor
- internet
- lightweight DDoS attack prevention scheme