Visible to the public Distributed Denial of Service Attack Prevention at Source Machines

TitleDistributed Denial of Service Attack Prevention at Source Machines
Publication TypeConference Paper
Year of Publication2018
AuthorsMisono, Masanori, Yoshida, Kaito, Hwang, Juho, Shinagawa, Takahiro
Conference Name2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech)
PublisherIEEE
ISBN Number978-1-5386-7518-2
Keywordsarbitrary packet transmissions, attack packets, Berkeley packet filter, BitVisor, composability, Computer crime, computer network security, configurable packet filtering mechanism, DDoS Attack, DDoS Attack Prevention, distributed denial of service attack prevention, filtering policy, flexible DDoS attack prevention scheme, guaranteed safe code execution mechanism, Hardware, hijacked machines, Human Behavior, hypervisor, Internet, lightweight DDoS attack prevention scheme, Metrics, operating system, packet transmission suppression, particle filtering (numerical methods), pubcrawl, reliability, reliable DDoS attack prevention scheme, resilience, Resiliency, security, Servers, source machines, thin hypervisor, throughput overhead, transparent DDoS attack prevention scheme, user experience avoidance, Virtual machine monitors, virtual machines, virtualisation, virtualization, virtualization overhead reduction
Abstract

Distributed denial of service (DDoS) attacks is a serious cyberattack that exhausts target machine's processing capacity by sending a huge number of packets from hijacked machines. To minimize resource consumption caused by DDoS attacks, filtering attack packets at source machines is the best approach. Although many studies have explored the detection of DDoS attacks, few studies have proposed DDoS attack prevention schemes that work at source machines. We propose a reliable, lightweight, transparent, and flexible DDoS attack prevention scheme that works at source machines. In this scheme, we employ a hypervisor with a packet filtering mechanism on each managed machine to allow the administrator to easily and reliably suppress packet transmissions. To make the proposed scheme lightweight and transparent, we exploit a thin hypervisor that allows pass-through access to hardware (except for network devices) from the operating system, thereby reducing virtualization overhead and avoiding compromising user experience. To make the proposed scheme flexible, we exploit a configurable packet filtering mechanism with a guaranteed safe code execution mechanism that allows the administrator to provide a filtering policy as executable code. In this study, we implemented the proposed scheme using BitVisor and the Berkeley Packet Filter. Experimental results show that the proposed scheme can suppress arbitrary packet transmissions with negligible latency and throughput overhead compared to a bare metal system without filtering mechanisms.

URLhttps://ieeexplore.ieee.org/document/8511939
DOI10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00096
Citation Keymisono_distributed_2018