Defending against advanced DDoS attacks

Abstract

Distributed denial of service (DDoS) attacks have been a severe threat to the Internet for decades. Although many detection and defense mechanisms have been proposed, the attackers always attempt to evade the detection by adopting various sophisticated approaches. In this thesis, we investigate such advanced DDoS attacks from three aspects. First, we inspect application layer DDoS attacks because their attack requests can be the same as benign ones for evasion and exhaust the computational resources of target servers. Specifically, we first design a new approach to model users' browsing behaviors and use it to differentiate between attacks and benign visits at both session and page level. Then, we develop an effective defense system named SkyShield that leverages the sketch data structure to detect and mitigate application-layer DDoS attacks quickly. Second, network layer volumetric attacks are becoming even more popular with the emergence of the DDoS-as­-a-service economy, and most attacks are launched abruptly. Hence, a defense system should adopt an effective process to detect and mitigate the attacks as soon as possible. Since different DDoS protection services (DPS) adopt diverse defense strategies, we characterize the Border Gateway Protocol (BGP)-based DPSes by proposing a machine learning based approach to analyze BGP update messages. Third, to better understand the trends of DDoS amplification attacks, we deploy DDoSTrap, a high-performance honeypot to collect data and report interesting observations after analyzing 4-year data. We conducted extensive experiments to evaluate the proposed approaches, and the experimental results demonstrate their effectiveness. Moreover, our findings shed light on the trends of DDoS attacks and the design of effective DDoS attack mitigation schemes.