Cluster-Based Countermeasures for DDoS Attacks

Introduction

Among the many security threats in the current Internet, Distributed Denial of Service (DDoS) attacks are considered to be one of the most serious. Denials of Service (DoS) attacks aim to make the resources of the computer system of the victim unavailable or unreliable in providing their intended services. In the context of this work, DoS attacks try to consume and exhaust the victim's bandwidth or the server capacity. In DDoS attacks, the attacker compromises a large number of hosts in Internet and instructs them to conduct a coordinated attack. The network of the compromised hosts is called a botnet. In recent years, a sharp increase in large DDoS attacks has been reported (Figure 1).

Figure 1.

Size of largest reported DDoS Attack (Gbps)¹

While progress has been made in preventing or at least significantly lessening the impact of various security vulnerabilities, real progress in fighting DDoS is still missing. While automated software updates and antivirus programs can limit the number of compromised computers, there are still botnets comprising of millions of nodes. Another potential defence is to filter the packets sent by the DDoS attacker at a firewall after detecting the attack with and intrusion detection system (IDS). These rule-based detection and filtering techniques have not been successful in filtering DDoS attack because the DDoS attacker can send seemingly legitimate traffic. In the case of open services, such as web servers, the DDoS attacker only needs to send large quantities of useless service requests. Thus, there might be no specific features of DDoS attack traffic that the rule-based filters can be instructed to filter. With such malicious but legitimate traffic, DDoS attackers are able to relatively easily bypass most means of DDoS defence.

This work analyzes and experiment with cluster-based filtering for DDoS defense. In cluster-based filtering, unsupervised learning is used to create a normal profile of the network traffic. Then the filter for DDoS attacks is based on this normal profile. This work focuses on the scenario in which the cluster-based filter is deployed at the target network and serves for proactive or reactive defense.

A game-theoretic model is created for the scenario, making it possible to model the defender and attacker strategies as mathematical optimization tasks. The obtained optimal strategies are then experimentally evaluated. In the test bed setup, the hierarchical heavy hitters (HHH) algorithm is applied to traffic clustering and the Differentiated Services (DiffServ) quality-of-service (QoS) architecture is used for deploying the cluster-based filter on a Linux router.

The theoretical results suggest that the cluster-based filtering is an effective method for DDoS defense, unless the attacker is able to send traffic which perfectly imitates the normal traffic distribution. The experimental outcome confirms the theoretical results and shows the high effectiveness of cluster-based filtering in proactive and reactive DDoS defense.

The structure of the chapter is as follows. Section 2 presents background about different DDoS attacks. An overview of existing DDoS defense methods with particular focus on solutions based on clustering the traffic as well as solutions that employ DiffServ is presented in section 3. In section 4, a game-theoretic model of cluster-based filtering is described. Section 5 describes the test bed setup and the results of the experimental evaluation. Lastly, discussion of the obtained results is presented in section 6 and the work is concluded in section 7.

Background Information

Before classification of DDoS attacks, a typical DDoS attack scenario is presented here. It shows why it is so prevalent, and its intrinsic reasons why it is so easy to launch. Figure 2 shows a hierarchical model of a DDoS attack. DDoS attack divide into 2 types. One is bandwidth depletion. This method is to congest the network, massive use of the bandwidth then lead the network breakdown. The other type is resource depletion. Attacker depletes the key resources such as CPU, memory and so on and then breaks the server (Mittal et al., 2011). The attack usually starts from numerous sources to aim at a single target. Multiple target attacks are less common. A compilation of different types of DDoS attacks are presented as follows: