Stratum Filtering: Cloud-based Detection of Attack Sources

Denial of Service (DoS) attacks pose a critical threat to the stability and availability of the Internet. In Distributed DoS (DDoS) attacks multiple attacking agents cooperate in an attempt to cause excessive load in order to disconnect a victim. The frequency and volume of DoS attacks continue to break records, reaching 400Gb/s. Although many defenses were proposed, very few are adopted, due to low effectiveness, high costs and the changes required to integrate them into the existing infrastructure. To improve resilience against DDoS attacks the service providers move their operations to cloud platforms. Unfortunately, even if the cloud applies filtering, rate limiting and deep packet inspection, the attacker can subvert those defenses by distributing the attack among multiple attacking IP addresses and aiming the flood at the victim. In this talk we focus on DDoS attacks which disrupt the availability of a service by depleting the bandwidth or the resources of an operating system or application on the server side. Such attackers typically employ a botnet to generate large traffic volumes. A botnet consists of bots (compromised computers) located in different parts of the Internet. The bots, depending on their privileges on the victim host, send multiple packets either from spoofed or using their real IP addresses. We utilize the cloud platform to implement Stratum Filtering, a novel mechanism aimed at protecting the availability and resilience of the web servers hosted on clouds. Our mechanism is easy to integrate into the cloud platform and does not require changes to the existing infrastructure nor the protected servers. Stratum Filtering facilitates the large IP address blocks allocated to the clouds, distributed availability zones and the support of service migration within the cloud platforms. These advantages offered by clouds enable us to restrict the attacker to a naive strategy where the best possible attack is to simply flood the entire IP address block allocated to the cloud. However, such an attack requires huge volume of traffic exposing malicious sources. In addition, controlling and coordinating a large number of bots that would suffice for disconnecting a cloud is not trivial to accomplish. Stratum Filtering is comprised of three layers, such that each successive layer applies filtering targeted at blocking a different type of attack traffic on network, transport or application layers. The filtering uses the difference in behavior of legitimate clients vs bots, to identify and filter traffic arriving from non-standard clients. To characterize …