Network DDoS Layer 3/4/7 Mitigation via Dynamic Web Redirection

  • Todd Booth
  • Karl AnderssonEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 670)


Layer 3, 4 and 7 DDoS attacks are common and very difficult to defend against. The academic community has published hundreds of well thought out algorithms, which require changes in computer networking equipment, to better detect and mitigate these attacks. The problem with these solutions, is that they require computer networking manufacturers to make changes to their hardware and/or software. On the other hand, with our solution, absolutely no hardware or software changes are required. We only require the use of BGP4 Flow-Spec, which has already been widely deployed many years ago. Further the customers’ own ISP does not require Flow-Spec. Our algorithm protects groups of over sixty-five thousand different customers, via the aggregation into one very small Flow-Spec rule. In this paper, we propose our novel, low cost and efficient solution, to both detect and greatly mitigate any and all types of L347 DDoS Web attacks.


DDoS DRDoS Bandwidth Reflector BotNet BGP4 Flow-Spec 


  1. 1.
    Alwabel, A., Yu, M., Zhang, Y., Mirkovic, J.: SENSS: observe and control your own traffic in the internet. In: Proceedings of the 2014 ACM Conference on SIGCOMM, SIGCOMM 2014, pp. 349–350. ACM, New York (2014)Google Scholar
  2. 2.
    Arukonda, S., Sinha, S.: The innocent perpetrators: reflectors and reflection attacks. Adv. Comput. Sci. 4, 94–98 (2015)Google Scholar
  3. 3.
    Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recogn. Lett. 51, 1–7 (2015)CrossRefGoogle Scholar
  4. 4.
    Booth, T.G., Andersson, K.: Elimination of DoS UDP reflection amplification bandwidth attacks, protecting TCP services. In: Doss, R., Piramuthu, S., ZHOU, W. (eds.) FNSS 2015. CCIS, vol. 523, pp. 1–15. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  5. 5.
    Booth, T., Andersson, K.: Network security of internet services: eliminate DDoS reflection amplification attacks. J. Internet Serv. Inf. Secur. (JISIS) 5(3), 58–79 (2015)Google Scholar
  6. 6.
    Chonka, A., Xiang, Y., Zhou, W., Bonti, A.: Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. J. Netw. Comput. Appl. 34(4), 1097–1107 (2011)CrossRefGoogle Scholar
  7. 7.
    Chung, C.-J., Khatkar, P., Xing, T., Lee, J., Huang, D.: NICE: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Dependable Secur. Comput. 10(4), 198–211 (2013)CrossRefGoogle Scholar
  8. 8.
    CloudFlare. 400gbps: Winter of Whopping Weekend DDoS Attacks. Accessed 2 May 2016
  9. 9.
    Dietzel, C., Feldmann, A., King, T.: Blackholing at IXPs: on the effectiveness of DDoS mitigation in the wild. In: Karagiannis, T., et al. (eds.) PAM 2016. LNCS, vol. 9631, pp. 319–332. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-30505-9_24 CrossRefGoogle Scholar
  10. 10.
    Fachkha, C., Bou-Harb, E., Debbabi, M.: Inferring distributed reflection denial of service attacks from darknet. Comput. Commun. 62, 59–71 (2015)CrossRefGoogle Scholar
  11. 11.
    Furfaro, A., Malena, G., Molina, L., Parise, A.: A simulation model for the analysis of DDOS amplification attacks. In: 17th USKSIM-AMSS International Conference on Modelling and Simulation, pp. 267–272 (2015)Google Scholar
  12. 12.
    Gillman, D., Lin, Y., Maggs, B., Sitaraman, R.K.: Protecting websites from attack with secure delivery networks. Computer 48(4), 26–34 (2015)CrossRefGoogle Scholar
  13. 13.
    Giotis, K., Androulidakis, G., Maglaris, V.: A scalable anomaly detection and mitigation architecture for legacy networks via an OpenFlow middlebox. Secur. Commun. Netw. 9, 1958–1970 (2016)Google Scholar
  14. 14.
    Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. Manag. Inf. Syst. 28(1), 75–105 (2004)Google Scholar
  15. 15.
    Nexusguard: Whitepapers on DDoS Mitigation, Cyber Attack. Accessed 20 Apr 2016
  16. 16.
    Nygren, E., Sitaraman, R., Sun, J.: The Akamai network: a platform for high-performance internet applications. SIGOPS Oper. Syst. Rev. 44(3), 2–19 (2010)CrossRefGoogle Scholar
  17. 17.
    Osanaiye, O.A.: Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing. In: 2015 18th International Conference on Intelligence in Next Generation Networks (ICIN), pp. 139–141, February 2015Google Scholar
  18. 18.
    Poulopoulos, L., Mamalis, M., Polyrakis, A.: FireCircle: GRNET’s approach to advanced network security services’ management via BGP flow-spec and NETCONF. In: 2012 Proceedings of the 28th TERENA Networking Conference (2012)Google Scholar
  19. 19.
    Raj, K., Selvakumar, S.: Distributed denial of service attack detection using an ensemble of neural classifier. Comput. Commun. 34(11), 1328–1341 (2011)CrossRefGoogle Scholar
  20. 20.
    Santanna, J.J., Durban, R., Sperotto, A., Pras, A.: Inside booters: An analysis on operational databases. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 432–440, May 2015Google Scholar
  21. 21.
    Santanna, J.J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L.Z., Pras, A., Booters; An analysis of DDoS-as-a-service attacks. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 243–251, May 2015Google Scholar
  22. 22.
    van der Steeg, D., Hofstede, R., Sperotto, A., Pras, A.: Real-time DDoS attack detection for Cisco IOS using NetFlow. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 972–977, May 2015Google Scholar
  23. 23.
    Steinberger, J., Sperotto, A., Baier, H., Pras, A.: Collaborative attack mitigation and response: a survey. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 910–913. IEEE (2015)Google Scholar
  24. 24.
    Thatte, G., Mitra, U., Heidemann, J.: Parametric methods for anomaly detection in aggregate traffic. IEEE/ACM Trans. Netw. 19(2), 512–525 (2011)CrossRefGoogle Scholar
  25. 25.
    Usha Devi, G., Priyan, M.K., Vishnu Balan, E., Gokul Nath, C., Chandrasekhar, M.: Detection of DDoS attack using optimized hop count filtering technique. Indian J. Sci. Technol. itextbf8(26) (2015)Google Scholar
  26. 26.
    Xiang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6(2), 426–437 (2011)CrossRefGoogle Scholar
  27. 27.
    Yan, Q., Yu, F.R.: Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun. Mag. 53(4), 52–59 (2015)CrossRefGoogle Scholar
  28. 28.
    Yan, Q., Yu, F.R., Gong, Q., Li, J.: Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun. Surv. Tutor. 18(1), 602–622 (2016)CrossRefGoogle Scholar
  29. 29.
    Yang, M.-H., Yang, M.-C.: RIHT: a novel hybrid IP traceback scheme. IEEE Trans. Inf. Forensics Secur. 7(2), 789–797 (2012)CrossRefGoogle Scholar
  30. 30.
    Yu, S., Zhou, W., Jia, W., Guo, S., Xiang, Y., Tang, F.: Discriminating DDoS attacks from flash crowds using flow correlation coefficient. IEEE Trans. Parallel Distrib. Syst. 23(6), 1073–1080 (2012)CrossRefGoogle Scholar
  31. 31.
    Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Division of Computer ScienceLuleå University of TechnologyLuleåSweden

Personalised recommendations