Hostname: page-component-78c5997874-fbnjt Total loading time: 0 Render date: 2024-11-15T06:20:14.707Z Has data issue: false hasContentIssue false

Orchestrating DDoS mitigation via blockchain-based network provider collaborations

Published online by Cambridge University Press:  14 April 2020

Adam Pavlidis
Affiliation:
Network Management and Optimal Design Laboratory (NETMODE), National Technical University of Athens, Athens, Greece, e-mails: apavlidis@netmode.ntua.gr, mdimolianis@netmode.ntua.gr, nkostopoulos@netmode.ntua.gr, dkalo@netmode.ntua.gr, maglaris@netmode.ntua.gr
Marinos Dimolianis
Affiliation:
Network Management and Optimal Design Laboratory (NETMODE), National Technical University of Athens, Athens, Greece, e-mails: apavlidis@netmode.ntua.gr, mdimolianis@netmode.ntua.gr, nkostopoulos@netmode.ntua.gr, dkalo@netmode.ntua.gr, maglaris@netmode.ntua.gr
Kostas Giotis
Affiliation:
Technology R&D, PCCW Global, Athens, Greece, e-mails: kyiotis@pccwglobal.com, lanagnostou@pccwglobal.com, ttsigkritis@pccwglobal.com, ikotinas@pccwglobal.com
Loukas Anagnostou
Affiliation:
Technology R&D, PCCW Global, Athens, Greece, e-mails: kyiotis@pccwglobal.com, lanagnostou@pccwglobal.com, ttsigkritis@pccwglobal.com, ikotinas@pccwglobal.com
Nikolaos Kostopoulos
Affiliation:
Network Management and Optimal Design Laboratory (NETMODE), National Technical University of Athens, Athens, Greece, e-mails: apavlidis@netmode.ntua.gr, mdimolianis@netmode.ntua.gr, nkostopoulos@netmode.ntua.gr, dkalo@netmode.ntua.gr, maglaris@netmode.ntua.gr
Theocharis Tsigkritis
Affiliation:
Technology R&D, PCCW Global, Athens, Greece, e-mails: kyiotis@pccwglobal.com, lanagnostou@pccwglobal.com, ttsigkritis@pccwglobal.com, ikotinas@pccwglobal.com
Ilias Kotinas
Affiliation:
Technology R&D, PCCW Global, Athens, Greece, e-mails: kyiotis@pccwglobal.com, lanagnostou@pccwglobal.com, ttsigkritis@pccwglobal.com, ikotinas@pccwglobal.com
Dimitrios Kalogeras
Affiliation:
Network Management and Optimal Design Laboratory (NETMODE), National Technical University of Athens, Athens, Greece, e-mails: apavlidis@netmode.ntua.gr, mdimolianis@netmode.ntua.gr, nkostopoulos@netmode.ntua.gr, dkalo@netmode.ntua.gr, maglaris@netmode.ntua.gr
Vasilis Maglaris
Affiliation:
Network Management and Optimal Design Laboratory (NETMODE), National Technical University of Athens, Athens, Greece, e-mails: apavlidis@netmode.ntua.gr, mdimolianis@netmode.ntua.gr, nkostopoulos@netmode.ntua.gr, dkalo@netmode.ntua.gr, maglaris@netmode.ntua.gr

Abstract

Network providers either attempt to handle massive distributed denial-of-service attacks themselves or redirect traffic to third-party scrubbing centers. If providers adopt the first option, it is sensible to counter such attacks in their infancy via provider collaborations deploying distributed security mechanisms across multiple domains in an attack path. This motivated our work presented in this paper. Specifically, we investigate the establishment of trusted federations among adjacent and disjoint network domains, that is, autonomous systems (ASes) that collectively mitigate malicious traffic. Our approach is based on Distributed Ledger Technologies for signaling, coordination, and orchestration of a collaborative mitigation schema via appropriate blockchain-based smart contracts. Reputation scores are used to rank ASes based on their mitigation track record. The allocation of defense resources across multiple collaborators is modeled as a combinatorial optimization problem considering reputation scores and network flow weights. Malicious flows are mitigated using programmable network data paths within the eXpress Data Path (XDP) framework; this enables operators with enhanced packet processing throughput and advanced filtering flexibility. Our schema was implemented in a proof-of-concept prototype and tested under realistic network conditions.

Type
Research Article
Copyright
© Cambridge University Press, 2020

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

3DCoP: DDoS Defense for a Community of Peers. 2016. available at: https://galois.com/project/3dcop-ddos-defense/Google Scholar
Back, A., Matt, C., Luke, D., Mark, F., Gregory, M., Andrew, M., Andrew, P., Jorge, T. & Pieter, W. 2014. “Enabling blockchain innovations with pegged sidechains”, available at: http://www.opensciencereview.com/papers/123/enablingblockchain-innovations-with-pegged-sidechainsGoogle Scholar
Bertin, G. 2017. “XDP in practice: Integrating XDP into our DDoS Mitigation Pipeline”, https://netdevconf.org/2.1/papers/Gilberto_Bertin_XDP_in_practice.pdfGoogle Scholar
Bloom, B.H. 1970. “Space/Time Trade-offs in Hash-Coding with Allowable Errors”, in Communications of the ACM 13(7), 422426.CrossRefGoogle Scholar
Broder, A. & Mitzenmacher, M. 2004. “Network Applications of Bloom Filters: A Survey”, Internet Mathematics 1(4), 485509.CrossRefGoogle Scholar
Buterin, V. 2015. “On Public and Private Blockchains”, available at: https://blog.ethereum.org/2015/08/07/on-public-and-private-blockchains/Google Scholar
Claise, B., Ed., 2004. “Cisco Systems NetFlow Services Export Version 9”, October.CrossRefGoogle Scholar
ConsenSys – Harness the power of Ethereum. 2014. available at: https://new.consensys.net/Google Scholar
Decentralized CDN, WAF, and DDoS protection. 2018. available at: https://gladius.ioGoogle Scholar
Dimolianis, M., Pavlidis, A., Kalogeras, D. & Maglaris, V. 2019. “Mitigation of Multi-vector Network Attacks via Orchestration of Distributed Rule Placement”, in proc. of the IFIP/IEEE International Symposium on Integrated Network Management (IM 2019), Washington D.C., USA, pp. 162–170, April.Google Scholar
Ethereum Network Intelligence API. 2016. available at: https://github.com/cubedro/eth-net-intelligence-apiGoogle Scholar
Ethereum Network Stats. 2016. available at: https://github.com/cubedro/eth-netstatsGoogle Scholar
Ethereum Project. 2015. available at: https://github.com/ethereum/Google Scholar
Giotis, K., Androulidakis, G. & Maglaris, V. 2015. “A Scalable Anomaly Detection and Mitigation Architecture for Legacy Networks via an OpenFlow Middlebox”, in Security and Communication Networks, pp. 19581970.Google Scholar
Giotis, K., Apostolaki, M. & Maglaris, V. 2016. “A Reputation-based Collaborative Schema for the Mitigation of Distributed Attacks in SDN domains”, in proc. of the IEEE/IFIP Network Operations and Management Symposium, pp. 495–501, April.CrossRefGoogle Scholar
Giotis, K., Pavlidis, A., Anagnostou, L., Dimolianis, M., Tsigkritis, T., Kalogeras, D., Kostopoulos, N., Kotinas, I. & Maglaris, V. 2018. “Blockchain-based Federation of Network Providers for Collaborative DDoS Mitigation”, 3rd Symposium on Distributed Ledger Technology, Gold Coast, Australia, November.Google Scholar
Gruhler, A., Rodrigues, B. & Stiller, B. 2019. “A Reputation Scheme for a Blockchain-based Network Cooperative Defense” in proc. of the IFIP/IEEE International Symposium on Integrated Network Management (IM 2019), Washington D.C., USA, pp. 71–79, April.Google Scholar
Høiland-jørgensen, T., Borkmann, D., Fastabend, J., Herbert, T., Ahern, D. & Miller, D. 2018. “The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel”, in proc. of the 14th ACM International Conference on emerging Network Experiments and Technologies (CoNEXT ’18), pp. 54–66, December.CrossRefGoogle Scholar
InterPlanetary File System (IPFS). 2015. available at: https://ipfs.io/Google Scholar
Josang, , A. & Ismail, R. 2002. “The Beta Reputation System”, in proc. of the 15th Bled Electronic Commerce Conference. 5, 2502–2511, June.Google Scholar
Kim, K., You, Y., Park, M. & Lee, K. 2018. “DDoS Mitigation: Decentralized CDN Using Private Blockchain” in Tenth International Conference on Ubiquitous and Future Networks (ICUFN), July.CrossRefGoogle Scholar
Konečný, J., McMahan, H. B., Yu, F. X., Richtárik, P., Suresh, A. T. & Bacon, D., 2016. “Federated Learning: Strategies for Improving Communication Efficiency”, available at: https://arxiv.org/pdf/1610.05492.Google Scholar
Malomo, O. O., Rawat, D. & Garuba, M. 2018. “Next-generation cybersecurity through a blockchain-enabled federated cloud framework”, The Journal of Supercomputing 128, May.CrossRefGoogle Scholar
Mannhart, S., Rodrigues, B., Scheid, E., Kanhere, S. S., & Stiller, B. 2018. “Toward Mitigation-as-a-Service in Cooperative Network Defenses,” in 2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th International Conference on Pervasive Intelligence and Computing, 4th International Conference on Big Data Intelligence and Computing and Cyber Science and Technology Congress (DASC/PiCom/DataCom/CyberSciTech), pp. 362–367, August.CrossRefGoogle Scholar
Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J. & McPherson, D. 2009. “Dissemination of Flow Specification Rules”, RFC 5575, available at: http://www.ietf.org/rfc/rfc5575.txtCrossRefGoogle Scholar
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shrenker, S. and Turner, J. 2008. “OpenFlow: enabling Innovation in Campus Networks”, in ACM SIGCOMM Computer Communication Review 38(2), 6974.CrossRefGoogle Scholar
Memcached DDoS Attacks: 95,000 Servers Vulnerable to Abuse. 2018. available at: https://www.bankinfosecurity.com/memcached-ddos-attacks-95000-servers-vulnerable-to-abuse-a-10705Google Scholar
Mortensen, A., Andreasen, F., Reddy, T., Gray, C., Compton, R. & Teague, N. 2019. “DDoS Open Threat Signaling (dots)”, available at: https://datatracker.ietf.org/wg/dots/CrossRefGoogle Scholar
Mutually Agreed Norms for Routing Security. 2016. available at: https://www.manrs.org/Google Scholar
Netflow Processing Tools – nfdump. 2018. https://github.com/phaag/nfdumpGoogle Scholar
O’Sullivan, M., Lim, Q. S., Walker, C., Dunning, I. & Mitchell, S. 2011. “Dippy: A Simplified Interface for Advanced Mixed-integer Programming”, Report 685, University of Auckland Faculty of Engineering.Google Scholar
Phaal, P. & Lavine, M. 2004. “sFlow Version 5”, available at: https://sflow.org/sflow_version_5.txtGoogle Scholar
Proof-of-Authority Chains. 2017. available at: https://wiki.parity.io/Proof-of-Authority-ChainsGoogle Scholar
Rashidi, B., Fung, C. & Bertino, E. 2017. “A Collaborative DDoS Defence Framework Using Network Function Virtualization,” IEEE Transactions on Information Forensics and Security 12(10), 24832497.CrossRefGoogle Scholar
Rodrigues, B., Bocek, T., Lareida, A., Hausheer, D., Rafati, S. & Stiller, B. 2017. “A Blockchain-Based Architecture for Collaborative DDoS Mitigation with Smart Contracts”, in IFIP International Conference on Autonomous Infrastructure, Management and Security, pp. 16–29, June.CrossRefGoogle Scholar
Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L. Z, & Pras, A. 2015. “Booters—An Analysis of DDoS-as-a-Service Attacks”, Integrated Network Management (IM), in proc. of the 2015 IFIP/IEEE International Symposium, pp. 243–251.Google Scholar
Solidity Programming Language. 2019. available at: https://github.com/ethereum/solidityGoogle Scholar
The CAIDA UCSD Anonymized Internet Traces 2016. available at: http://www.caida.org/data/passive/passive_2016_dataset.xmlGoogle Scholar
The Incident Object Description Exchange Format 2007. https://tools.ietf.org/html/rfc5070Google Scholar
Van Rijswijk-Deij, R., Rijnders, G., Bomhoff, M. & Allodi, L. 2019. “Privacy-Conscious Threat Intelligence Using DNSBLOOM”, in proc. of the IFIP/IEEE International Symposium on Integrated Network Management (IM 2019), Washington D.C., USA, pp. 98–106, April.Google Scholar