Umbrella: Enabling ISPs to Offer Readily Deployable and Privacy-Preserving DDoS Prevention Services

by   Zhuotao Liu, et al.

Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. However, recent industrial interviews with over 100 security experts from more than ten industry segments indicate that DDoS problems have not been fully addressed. The reasons are twofold. On one hand, many academic proposals that are provably secure witness little real-world deployment. On the other hand, the operation model for existing DDoS-prevention service providers (e.g., Cloudflare, Akamai) is privacy invasive for large organizations (e.g., government). In this paper, we present Umbrella, a new DDoS defense mechanism enabling Internet Service Providers (ISPs) to offer readily deployable and privacy-preserving DDoS prevention services to their customers. At its core, Umbrella develops a multi-layered defense architecture to defend against a wide spectrum of DDoS attacks. In particular, the flood throttling layer stops amplification-based DDoS attacks; the congestion resolving layer, aiming to prevent sophisticated attacks that cannot be easily filtered, enforces congestion accountability to ensure that legitimate flows are guaranteed to receive their fair shares regardless of attackers' strategies; and finally the userspecific layer allows DDoS victims to enforce self-desired traffic control policies that are most suitable for their business logic. Based on Linux implementation, we demonstrate that Umbrella is capable to deal with large scale attacks involving millions of attack flows, meanwhile imposing negligible packet processing overhead. Further, our physical testbed experiments and large scale simulations prove that Umbrella is effective to mitigate DDoS attacks.


A framework of blockchain-based secure and privacy-preserving E-government system

Electronic government (e-government) uses information and communication ...

Five Common Misconceptions About Privacy-Preserving Internet of Things

Billions of devices in the Internet of Things (IoT) collect sensitive da...

A Multi-layer hierarchical inter-cloud connectivity model for sequential packet inspection of tenant sessions accessing BI as a service

Business Intelligence (BI) has gained a new lease of life through Cloud ...

Too Expensive to Attack: A Joint Defense Framework to Mitigate Distributed Attacks for the Internet of Things Grid

The distributed denial of service (DDoS) attack is detrimental to busine...

Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks

As a fundamental communicative service, email is playing an important ro...

Might I Get Pwned: A Second Generation Password Breach Alerting Service

Credential stuffing attacks use stolen passwords to log into victim acco...

No Time for Downtime: Understanding Post-Attack Behaviors by Customers of Managed DNS Providers

We leverage large-scale DNS measurement data on authoritative name serve...

Please sign up or login with your details

Forgot password? Click here to reset