Design Principles for Network Distributed Denial of Service Defense

Sammanfattning: People, organizations and society are become more and more dependent upon access to Information Systems. Most Information Systems are accessible via the Internet. It is becoming easier and easier to perform successful network attacks against these Information Systems, which causes the system to become unavailable for its intended users. It is also very inexpensive to launch a successful network DRDoS attack against an organization’s servers. One type of distributed denial of service (DDoS) network attack sends a very large volume of traffic towards the victim’s servers. The most common of these volumetric DDoS attacks are described as reflective DDoS service (DRDoS) attacks and the DRDoS defense is the main contribution of this thesis. For years, you have been able to even rent network attack services from criminal organizations, which are often in the form of DRDoS network attacks.The Design Science Research (DSR) approach was used for my research. Included are the DSR cycles performed, including the artifact evaluations. The relationship between the DSR cycles and the published research papers is presented in the paper summary section. The first two papers formed the DSR problem definition. The next three papers used a variety of information hiding techniques to mitigate network attacks. The last paper proposed a different design principle, based on filtering traffic before it reached the public cloud providers. This proposed DRDoS defense approach is to have the public cloud provider request their IP neighbors to filter or drop certain traffic for a big IP block of IP addresses. Then the provider gives IP addresses to their customers, who want this protection, from the big IP block. This way the provider can provide DRDoS protection for hundreds of thousands of customers, with a few firewall rules and the filtering of malicious traffic occurs at the network edge. This solution prevents most of the DRDoS attack traffic from even reaching the public cloud provider. This last research is focused on protecting servers from DRDoS attacks, where the servers are accessible via the Internet and where the servers are or can be hosted via a public cloud provider. This public cloud provider hosting includes accessibility via cloud offerings, such as with Amazon’s Web Services (AWS), Google’s Compute Cloud (GCP), and Microsoft’s Azure. To simplify the discussion, this thesis will focus on Web servers, as the example.The research has been generalized into the following two research design principal contributions. My thesis, including the design principles, contributes to the state of the art network DDoS defense in the following ways:1. Divide and Search for Malicious Network Traffic. After the attack is detected, the IP, Web, and/or DNS address information is changed  This mitigates the attacks since the attacker will not be able to quickly learn the new DNS, Web, or IP connectivity information. This has the effect to reduce or mitigate the effect of the DDoS attacks.2.  Ask IPX Neighbors to Pre-process Network Traffic. With this design principle, we have two types of features. One feature is to stop malicious traffic. This mitigates the attacks at the public cloud provider’s neighbors, so that most of the malicious traffic never even arrives to the cloud provider. This way, the cloud provider no longer needs to process the malicious traffic to filter it out. The other feature is to provide a different quality of service (QoS) for incoming traffic. This allows the public cloud provider’s neighbor to treat the traffic as higher or lower priority traffic.In this thesis, the contributions are how to improve the state of the art DDoS defense solutions, concerning network attacks against Internet accessible servers. We believe that our DRDoS defense contribution is better, more efficient, and/or more effective than the current state of the art DDRoS solutions. Our contributions are focused on network layer attacks as opposed to application, presentation, or transport layer attacks.