Abstract
Layer 3, 4 and 7 DDoS attacks are common and very difficult to defend against. The academic community has published hundreds of well thought out algorithms, which require changes in computer networking equipment, to better detect and mitigate these attacks. The problem with these solutions, is that they require computer networking manufacturers to make changes to their hardware and/or software. On the other hand, with our solution, absolutely no hardware or software changes are required. We only require the use of BGP4 Flow-Spec, which has already been widely deployed many years ago. Further the customers’ own ISP does not require Flow-Spec. Our algorithm protects groups of over sixty-five thousand different customers, via the aggregation into one very small Flow-Spec rule. In this paper, we propose our novel, low cost and efficient solution, to both detect and greatly mitigate any and all types of L347 DDoS Web attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alwabel, A., Yu, M., Zhang, Y., Mirkovic, J.: SENSS: observe and control your own traffic in the internet. In: Proceedings of the 2014 ACM Conference on SIGCOMM, SIGCOMM 2014, pp. 349–350. ACM, New York (2014)
Arukonda, S., Sinha, S.: The innocent perpetrators: reflectors and reflection attacks. Adv. Comput. Sci. 4, 94–98 (2015)
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recogn. Lett. 51, 1–7 (2015)
Booth, T.G., Andersson, K.: Elimination of DoS UDP reflection amplification bandwidth attacks, protecting TCP services. In: Doss, R., Piramuthu, S., ZHOU, W. (eds.) FNSS 2015. CCIS, vol. 523, pp. 1–15. Springer, Heidelberg (2015)
Booth, T., Andersson, K.: Network security of internet services: eliminate DDoS reflection amplification attacks. J. Internet Serv. Inf. Secur. (JISIS) 5(3), 58–79 (2015)
Chonka, A., Xiang, Y., Zhou, W., Bonti, A.: Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. J. Netw. Comput. Appl. 34(4), 1097–1107 (2011)
Chung, C.-J., Khatkar, P., Xing, T., Lee, J., Huang, D.: NICE: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Dependable Secur. Comput. 10(4), 198–211 (2013)
CloudFlare. 400gbps: Winter of Whopping Weekend DDoS Attacks. https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-attacks. Accessed 2 May 2016
Dietzel, C., Feldmann, A., King, T.: Blackholing at IXPs: on the effectiveness of DDoS mitigation in the wild. In: Karagiannis, T., et al. (eds.) PAM 2016. LNCS, vol. 9631, pp. 319–332. Springer, Heidelberg (2016). doi:10.1007/978-3-319-30505-9_24
Fachkha, C., Bou-Harb, E., Debbabi, M.: Inferring distributed reflection denial of service attacks from darknet. Comput. Commun. 62, 59–71 (2015)
Furfaro, A., Malena, G., Molina, L., Parise, A.: A simulation model for the analysis of DDOS amplification attacks. In: 17th USKSIM-AMSS International Conference on Modelling and Simulation, pp. 267–272 (2015)
Gillman, D., Lin, Y., Maggs, B., Sitaraman, R.K.: Protecting websites from attack with secure delivery networks. Computer 48(4), 26–34 (2015)
Giotis, K., Androulidakis, G., Maglaris, V.: A scalable anomaly detection and mitigation architecture for legacy networks via an OpenFlow middlebox. Secur. Commun. Netw. 9, 1958–1970 (2016)
Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. Manag. Inf. Syst. 28(1), 75–105 (2004)
Nexusguard: Whitepapers on DDoS Mitigation, Cyber Attack. https://www.nexusguard.com/genius/whitepapers. Accessed 20 Apr 2016
Nygren, E., Sitaraman, R., Sun, J.: The Akamai network: a platform for high-performance internet applications. SIGOPS Oper. Syst. Rev. 44(3), 2–19 (2010)
Osanaiye, O.A.: Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing. In: 2015 18th International Conference on Intelligence in Next Generation Networks (ICIN), pp. 139–141, February 2015
Poulopoulos, L., Mamalis, M., Polyrakis, A.: FireCircle: GRNET’s approach to advanced network security services’ management via BGP flow-spec and NETCONF. In: 2012 Proceedings of the 28th TERENA Networking Conference (2012)
Raj, K., Selvakumar, S.: Distributed denial of service attack detection using an ensemble of neural classifier. Comput. Commun. 34(11), 1328–1341 (2011)
Santanna, J.J., Durban, R., Sperotto, A., Pras, A.: Inside booters: An analysis on operational databases. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 432–440, May 2015
Santanna, J.J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L.Z., Pras, A., Booters; An analysis of DDoS-as-a-service attacks. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 243–251, May 2015
van der Steeg, D., Hofstede, R., Sperotto, A., Pras, A.: Real-time DDoS attack detection for Cisco IOS using NetFlow. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 972–977, May 2015
Steinberger, J., Sperotto, A., Baier, H., Pras, A.: Collaborative attack mitigation and response: a survey. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 910–913. IEEE (2015)
Thatte, G., Mitra, U., Heidemann, J.: Parametric methods for anomaly detection in aggregate traffic. IEEE/ACM Trans. Netw. 19(2), 512–525 (2011)
Usha Devi, G., Priyan, M.K., Vishnu Balan, E., Gokul Nath, C., Chandrasekhar, M.: Detection of DDoS attack using optimized hop count filtering technique. Indian J. Sci. Technol. itextbf8(26) (2015)
Xiang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6(2), 426–437 (2011)
Yan, Q., Yu, F.R.: Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun. Mag. 53(4), 52–59 (2015)
Yan, Q., Yu, F.R., Gong, Q., Li, J.: Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun. Surv. Tutor. 18(1), 602–622 (2016)
Yang, M.-H., Yang, M.-C.: RIHT: a novel hybrid IP traceback scheme. IEEE Trans. Inf. Forensics Secur. 7(2), 789–797 (2012)
Yu, S., Zhou, W., Jia, W., Guo, S., Xiang, Y., Tang, F.: Discriminating DDoS attacks from flash crowds using flow correlation coefficient. IEEE Trans. Parallel Distrib. Syst. 23(6), 1073–1080 (2012)
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Booth, T., Andersson, K. (2016). Network DDoS Layer 3/4/7 Mitigation via Dynamic Web Redirection. In: Doss, R., Piramuthu, S., Zhou, W. (eds) Future Network Systems and Security. FNSS 2016. Communications in Computer and Information Science, vol 670. Springer, Cham. https://doi.org/10.1007/978-3-319-48021-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-48021-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48020-6
Online ISBN: 978-3-319-48021-3
eBook Packages: Computer ScienceComputer Science (R0)