Dynamic Binary User-Splits to Protect Cloud Servers from DDoS Attacks

Quantified Score

Visualization

Abstract

Several overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server computers. The recent evolutions in DDoS attacks, especially in the increase in the number of bots involved in a DDoS attack and in the degree of control such bots have to the hijacked host computers, cause serious threats to the overlay-based solutions. We designed and assessed the potential of the new overlay-based security architecture that addresses the recent evolutions in DDoS attacks. The new security architecture, called "Dynamic Binary User-Splits (DBUS)", is designed to protect cloud servers (a) when their legitimate users convert to DoS/DDoS attackers or (b) when DDoS attacks are launched from the legitimate users' host computers that are hijacked by DDoS coordinators. DBUS copes with the situations by sieving attacking traffic from the hijacked legitimate users' host computers using dynamic binary user splits over the migrating entry points to an overlay network. Our discrete event driven simulation suggested that DBUS will efficiently sieve DDoS attacking hosts in many different situations, when a small number of attacking hosts hide behind a large legitimate user group, or when a stampede of DDoS attacking hosts occupy the majority of incoming traffic, without requiring a large number of migrating entry points. We also found that how quickly each migrating entry point can detect excess traffic is a key to keep convergence delay short.