Abstract
Distributed Denial of Service (DDoS) attacks mitigation typically relies on source IP-based filtering rules; these may present scaling issues due to the vast amount of involved sources. By contrast, we propose a source IP-agnostic DDoS traffic classification and filtering schema that identifies malicious packet signatures via supervised Machine Learning methods and subsequently generates signature-based filtering rules. To accelerate packet processing, our schema utilizes XDP middleboxes operating as programmable Deep Packet Inspectors. Signatures are extracted from network traffic as unique combinations of the most significant packet features; these are subsequently fed to supervised Machine Learning algorithms that classify them as malicious or benign. Malicious signatures undergo a reduction process tailored to the attack vector in order to generate a concise set of filtering rules, thus expediting mitigation performance. Our schema was implemented as a proof-of-concept and evaluated for DNS volumetric attacks in terms of signature classification accuracy and packet filtering throughput. Experiments were based on benign and malicious traffic datasets recorded in production network environments. Our approach was compared to source-based mechanisms in terms of (i) malicious traffic identification, (ii) filtering rules cardinality, and (iii) packet processing throughput required in modern high speed networks. The experimental results demonstrate that our signature-based approach outperforms IP-based alternatives, achieving high detection accuracy and significant generalization capabilities.
Highlights
Distributed Denial of Service (DDoS) attacks originate from compromised hosts and/or exploited vulnerable systems producing traffic from a large number of sources [1]
To counter the shortcomings of IP-based schemes, we propose a source IP-agnostic DDoS protection mechanism that classifies and mitigates network attacks based on packet signatures i.e. unique combinations of packet field values
BACKGROUND & RELATED WORK In subsection II-A, we present background information related to advances in programmable data planes, focusing on eXpress Data Path (XDP) as a key component in our architecture
Summary
Distributed Denial of Service (DDoS) attacks originate from compromised hosts and/or exploited vulnerable systems producing traffic from a large number of sources [1]. Legacy DDoS protection mechanisms maintain statistics based on source IP or network flows to detect and mitigate malicious traffic. XDP is executed prior to heavy networking stack operations and can be seamlessly ported in various Linux machines It provides high-performance programmable packet processing in Commercial off-theshelf (COTS) hardware, enabling deployment even within application servers to gather data on or filter malicious traffic. In [14], an OpenFlow (OF) DDoS detection mechanism was presented This periodically collects entries from OFenabled network devices, extracts flow-related features and classifies them using Self-Organizing Maps (SOM). Cloudflare, currently one of the largest Content Delivery Networks (CDN) that offers DDoS protection services, employs packet signatures to filter malicious traffic [24]. To the best of our knowledge, the exact methods for traffic classification and signature-based filtering are not publicly available and we cannot compare our approach with them
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
