Mitigating DRDoS Network Attacks via Consolidated Deny Filter Rules

• This article is concerning distributed reflection denial of service (DRDoS) attacks.  These DRDoS attacks are more frequent and large scale, and are one of the biggest threats on the Internet. This paper discusses the best way to defend from these attacks using public cloud defenses, such as Amazon AWS, Google GCP, and Microsoft Azure, at a very low cost.  Our mitigation strategy takes advantage of the fact that the attacker does not have full control to change the source IP port to anything they want, when used in these reflective attacks.  We propose to have the customer host their Web servers and other types of supporting servers in the public cloud.  The cloud provider then reserves a /CIDR block of IP addresses, which will be protected.  The cloud providers customers who opt in, will be allocated an IP address from this block.  This block will be used as the source IP address deny portion of the firewall rule-sets.  Then the public cloud providers will use BGP4 Flow-Spec or some scripting solution, to have their IP service provider neighbors perform the actual filtering of the DRDoS attack traffic concerning attacks against these servers.

Subject headings

SAMHÄLLSVETENSKAP  -- Medie- och kommunikationsvetenskap -- Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning (hsv//swe)

SOCIAL SCIENCES  -- Media and Communications -- Information Systems, Social aspects (hsv//eng)

NATURVETENSKAP  -- Data- och informationsvetenskap -- Datavetenskap (hsv//swe)

NATURAL SCIENCES  -- Computer and Information Sciences -- Computer Sciences (hsv//eng)

Keyword

DDoS

DRDoS

BGP4 Flow-Spec

Cloud security

Information systems

Informationssystem

Pervasive Mobile Computing

Distribuerade datorsystem

Publication and Content Type

ref (subject category)

art (subject category)