Research Briefs on Information & Communication Technology Evolution (Oct 2020)
Mitigating DRDoS Network Attacks via Consolidated Deny Filter Rules
Abstract
This article is concerning distributed reflection denial of service (DRDoS) attacks. These DRDoS attacks are more frequent and large scale, and are one of the biggest threats on the Internet. This paper discusses the best way to defend from these attacks using public cloud defenses, such as Amazon AWS, Google GCP, and Microsoft Azure, at a very low cost. Our mitigation strategy takes advantage of the fact that the attacker does not have full control to change the source IP port to anything they want, when used in these reflective attacks. We propose to have the customer host their Web servers and other types of supporting servers in the public cloud. The cloud provider then reserves a /CIDR block of IP addresses, which will be protected. The cloud providers customers who opt in, will be allocated an IP address from this block. This block will be used as the source IP address deny portion of the firewall rule-sets. Then the public cloud providers will use BGP4 Flow-Spec or some scripting solution, to have their IP service provider neighbors perform the actual filtering of the DRDoS attack traffic concerning attacks against these servers.
Keywords
