Network Security of Internet Services: Eliminate DDoS
Reflection Amplification Attacks Todd Booth1+ and
Karl Andersson2 Division of Computer Science, Luleċ University of Technology, Sweden 1Information
Systems 2Pervasive
and Mobile Computing Laboratory Abstract Our research problem is that there are a large
number of successful network reflection DDoS
attacks. Via a UDP Reflection Attack, an attacker can send just 1 Gb/s of
payload to innocent servers, and it is these servers which then can send over
4,600 times the payload to the victim! There are very expensive and complex
solutions in use today, however most all of these on premise solutions can be
easily circumvented. The academic community has not adequately addressed this
research problem. We have created a new Internet services network security
surface attack mitigation methodology. Our novel design patterns will help
organizations improve the price/performance of their anti-network reflection
solution by 100 times, as compared to common on premise solutions. Our
analysis and results confirm that our solution is viable. Our novel solution
is based on stateless IP packet header filtering firewalls (which can be
implemented mostly in hardware due to their simplicity). We have reduced and
in some cases eliminated the need for researchers to even try and find new
ways to filter the same traffic via more complex, software driven stateful solutions. Keywords: Internet
Services, Information Systems, Network Security, Firewall, Cloud, +: Corresponding author: Todd Booth Journal of Internet Services and Information Security (JISIS), 5(3): 58-79, August 2015 [pdf] |