Defending Against DDoS Attacks

Members and Collaborators


DDoS attacks are very frequent and have been increasing in volume and sophistication. Some forms of DDoS are very challenging to handle because the attack traffic is too voluminous, or too similar to legitimate traffic. Our research tackles these special types of DDoS.


SENSS helps a victim diagnose and filter a volumetric DDoS attack. Such attack overwhelms the victim's upstream link and must be handled through collaboration of upstream ISPs. SENSS - software-defined security service is a framework that enables a victim network to request services from remote ISPs for traffic that carries source IPs or destination IPs from this net work's address space. These services range from statistics gathering, to filtering or quality of service guarantees, to route reports or modifications. The SENSS service has very simple, yet powerful, interfaces. This enables it to handle a variety of data plane and control plane attacks, while being easily implementable in today's ISP. Through extensive evaluations on realistic traffic traces and Internet topology, we show how SENSS can be used to quickly, safely and effectively mitigate a variety of large-scale attacks that are largely unhandled today


FRADE helps a Web server identify and blacklist bots, which are involved in an application-level (layer 7) DDoS attack on this server. FRADE is a set of applications, which analyze Web logs looking for behaviors that are atypical for human users. When such a behavior is identified, the corresponding source IP address is added to a blacklist on the server.


Low-rate denial-of-service (LRD) attacks deny service by depleting some limited resource at the end host or a network device. This makes the device unable to process legitimate clients' traffic. Since LRD attacks are very low-rate, they are challenging to detect and handle at the network level. This makes the attack traffic a needle in a haystack of legitimate traffic. On the other hand, detecting LRD at application would require changes to many applications, and would only be effective against specific attack variants.

This project develops, implement and evaluate the Leader defense. Leader builds profiles that describe how external requests, clients, applications and the entire device use system resources. These profiles, called "connection life stages," contain information about the type and the amount of the resource used, the order in which the use occurs, and the time that each chunk of resource is being held. Leader compares instantaneous profiles to baseline profiles at connection, client, application and device level to detect denial of service and identify the resources being affected. Leader further uses connection life stages to perform anomaly detection, which is used for attack diagnostics and mitigation. In rare cases when the profiles do not show anomalous use of resources, or cannot attribute it to specific connections or clients, Leader resorts to offline binary analysis of affected applications. This analysis helps us understand how code paths in the application use system resources and identify possible code changes to increase robustness to LRD attacks. Leader defense is implemented as an OS module, and thus protects the deploying device against all LRD attacks at the OS and the application level.

DDiDD: DNS Defense in Depth

DDIDD project looks to address DDoS attacks on DNS servers. These attacks are more challenging than other application-layer attacks because: (1) DNS traffic runs over UDP and thus can be spoofed and (2) DNS is a critical service in the Internet. Our project seeks to develop and deploy a defense-in-depth approach to mitigate Distributed Denial-of-Service attacks for DNS servers. Consistent with NSF’s goal for making Research cyber-infrastructure more resilient, we seek to better protect operational DNS cyber infrastructure. Our approach, Deep Layers, will integrate approaches to filter spoofed traffic, approaches to identify known-good traffic when possible, and adds a cloud-based scaling component to handle the largest attacks. These steps address an array of increasingly sophisticated attacks, ranging from those we see today to those that may be possible in the future. In the end, we hope to significantly increase the resilience of DNS servers to DDoS attacks. We plan to deploy Deep Layers to protect critical infrastructure services, and to work with USC’s B-Root team as an initial case study. We will be making our resulting tools available to others as open source software.

Software and Datasets


This material is based upon work supported by the National Science Foundation under grant #1319215 and #1815495, and by the Science and Technology Directorate of the United States Department of Homeland Security under contract number D15PC00184. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation nor the Department of Homeland Security.