Bohatei: Flexible and elastic DDoS defense

Proceedings of the 24th USENIX Security Symposium

Volumn , Issue , 2015, Pages 817-832

  Fayaz, Seyed K ^a   Tobioka, Yoshiaki ^a   Sekar, Vyas ^a   Bailey, Michael ^b  

^a CMU

^b UIUC

Author keywords

[No Author keywords available]

Indexed keywords

DENIAL-OF-SERVICE ATTACK; NETWORK SECURITY;

ATTACK PATTERNS; CHOKE POINTS; DDOS ATTACK; DEFENSE SYSTEM; DESIGN AND IMPLEMENTS; NETWORK FUNCTIONS; SOFTWARE DEFINED NETWORKING (SDN);

NETWORK FUNCTION VIRTUALIZATION;

EID: 85076279342     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (60)

1. Bohatei. https://github.com/ddos-defense/bohatei.
2. Amazon EC2. http://aws.amazon.com/ec2/.
3. Arbor Networks, worldwide infrastructure security report, volume IX, 2014. http://bit.ly/1R0NDRi.
4. AT&T and Intel: Transforming the Network with NFV and SDN. https://www.youtube.com/watch?v=F55pHxTeJLc#t=76.
5. AT&T Denial of Service Protection. http://soc.att.com/ 1IIlUec.
6. AT&T Domain 2.0 Vision White Paper. http://soc.att.com/ 1kAw1Kp.
7. Click Modular Router. http://www.read.cs.ucla.edu/click/ click.
8. CloudFlare. https://www.cloudflare.com/ddos.
9. DDoS protection using Netfilter/iptables. http://bit.ly/1IImM2F.
10. Dell PowerEdge Rack Servers. http://dell.to/1dtP5Jk.
11. GSA Advantage. http://1.usa.gov/1ggEgFN.
12. Incapsula Survey: What DDoS Attacks Really Cost Businesses, 2014. http://bit.ly/1CFZyIr.
13. iptables. http://www.netfilter.org/projects/iptables/.
14. NTP attacks: Welcome to the hockey stick era. http://bit.ly/ 1ROlwQe.
15. ONS 2014 Keynote: John Donovan, Senior EVP, AT&T Technology & Network Operations. http://bit.ly/1RQFMko.
16. Open vSwitch. http://openvswitch.org/.
17. OpenDaylight project. http://www.opendaylight.org/.
18. Packet processing on Intel architecture. http://intel.ly/1efIEu6.
19. Prolexic. http://www.prolexic.com/.
20. Radware. http://www.radware.com/Solutions/Security/.
21. Time for an SDN Sequel? http://bit.ly/1BSpdma.
22. Topology Zoo. www.topology-zoo.org.
23. Verizon-Carrier Adoption of Software-defined Networking. https://www.youtube.com/watch?v=WVczl03edi4.
24. ZScaler Cloud Security. http://www.zscaler.com.
25. D. G. Andersen. Mayday: Distributed filtering for internet services. In Proc. USITS, 2003.
26. D. G. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker. Accountable internet protocol (AIP). In Proc. SIGCOMM, 2008.
27. P. Barford, J. Kline, D. Plonka, and A. Ron. A signal analysis of network traffic anomalies. In Proc. ACM SIGCOMM Workshop on Internet Measurement, 2002.
28. R. Cáceres, F. Douglis, A. Feldmann, G. Glass, and M. Rabinovich. Web proxy caching: The devil is in the details. SIGMETRICS Perform. Eval. Rev., 26(3):11–15, Dec. 1998.
29. M. Casado, T. Koponen, S. Shenker, and A. Tootoonchian. Fabric: A retrospective on evolving sdn. In Proc. HotSDN, 2012.
30. J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey, and M. Karir. Taming the 800 pound gorilla: The rise and decline of ntp ddos attacks. In Proc. IMC, 2014.
31. S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul. Enforcing network-wide policies in the presence of dynamic middlebox actions using FlowTags. In Proc. NSDI, 2014.
32. A. Greenberg, G. Hjalmtysson, D. A. Maltz, A. Myers, J. Rexford, G. Xie, H. Yan, J. Zhan, and H. Zhang. A clean slate 4D approach to network control and management. ACM CCR, 2005.
33. V. Heorhiadi, S. K. Fayaz, M. Reiter, and V. Sekar. Frenetic: A network programming language. Information Systems Security, 2014.
34. Jain et al. B4: Experience with a globally-deployed software defined wan. In Proc. SIGCOMM, 2013.
35. C. Jin, H. Wang, and K. G. Shin. Hop-count filtering: An effective defense against spoofed ddos traffic. In Proc. CCS, 2003.
36. A. Kalai and S. Vempala. Efficient algorithms for online decision problems. J. Comput. Syst. Sci., 2005.
37. M. S. Kang, S. B. Lee, and V. Gligor. The crossfire attack. In Proc. IEEE Security and Privacy, 2013.
38. A. Lakhina, M. Crovella, and C. Diot. Mining Anomalies Using Traffic Feature Distributions. In Proc. SIGCOMM, 2005.
39. R. Mahajan et al. Controlling high bandwidth aggregates in the network. CCR, 2001.
40. N. McKeown et al. OpenFlow: enabling innovation in campus networks. CCR, March 2008.
41. J. Mirkovic and P. Reiher. A taxonomy of ddos attack and ddos defense mechanisms. In CCR, 2004.
42. D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage. Inferring internet denial-of-service activity. ACM Trans. Comput. Syst., 2006.
43. Network functions virtualisation – introductory white paper. http://portal.etsi.org/NFV/NFV_White_Paper.pdf.
44. A. Networks. ATLAS Summary Report: Global Denial of Service. http://atlas.arbor.net/summary/dos.
45. P. Patel et al. Ananta: cloud scale load balancing. In Proc. ACM SIGCOMM, 2013.
46. V. Paxson. Bro: A system for detecting network intruders in real-time. In Computer Networks, 1999.
47. S. Peter, J. Li, I. Zhang, D. R. K. Ports, D. Woos, A. Krishnamurthy, T. Anderson, and T. Roscoe. Arrakis: The operating system is the control plane. In Proc. OSDI, 2014.
48. M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In LISA, 1999.
49. C. Rossow. Amplification hell: Revisiting network protocols for ddos abuse. In Proc. USENIX Security, 2014.
50. M. Roughan. Simplifying the Synthesis of Internet Traffic Matrices. ACM SIGCOMM CCR, 2005.
51. S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical network support for ip traceback. In Proc. SIGCOMM, 2000.
52. E. Shi, I. Stoica, D. Andersen, and A. Perrig. OverDoSe: A generic DDoS protection service using an overlay network. Technical Report CMU-CS-06-114, School of Computer Science, Carnegie Mellon University, 2006.
53. S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. Gu, and M. Tyson. FRESCO: Modular composable security services for software-defined networks. In Proc. NDSS, 2013.
54. S. Shin, V. Yegneswaran, P. Porras, and G. Gu. AVANT-GUARD: Scalable and vigilant switch flow management in software-defined networks. In Proc. CCS, 2013.
55. A. Studer and A. Perrig. The coremelt attack. In Proc. ESORICS, 2009.
56. T. Koponen et al. Network virtualization in multi-tenant datacenters. In Proc. NSDI, 2014.
57. P. Verkaik, D. Pei, T. Schollf, A. Shaikh, A. C. Snoeren, and J. E. van der Merwe. Wresting Control from BGP: Scalable Fine-grained Route Control. In Proc. USENIX ATC, 2007.
58. X. Yang, D. Wetherall, and T. Anderson. A dos-limiting network architecture. In Proc. SIGCOMM, 2005.
59. S. Yeganeh, A. Tootoonchian, and Y. Ganjali. On scalability of software-defined networking. Communications Magazine, IEEE, 2013.
60. X. Zhang, H.-C. Hsiao, G. Hasker, H. Chan, A. Perrig, and D. G. Andersen. Scion: Scalability, control, and isolation on next-generation networks. In Proc. IEEE Security and Privacy, 2011.