Detecting Distributed Denial of Service Attacks on Wide-Area Networks
Sean Peisert (PI)
Chen-Nee Chuah (LBNL Faculty Scientist / UC Davis)
Dipak Ghosal (LBNL Faculty Scientist / UC Davis)
Ross Gegan (LBNL GSR / UC Davis)
Chang Liu (LBNL GSR / UC Davis)
A large scale distributed denial of service (DDoS) attack has the potential to not only impact the target site, but impact performance along the entire network path. Today, DDoS mitigation across DOE Sites is largely handled at the site borders using a combination of heuristic and filtering techniques, manual changes, and commercial services that can “absorb” attacks against specific sites. With the scale of DDoS increasing dramatically with little indication of slowing down, the task of DDoS detection and mitigation across ESnet’s extensive wide area network (WAN) becomes a higher priority, with increased complexity of detection and execution.
As ESnet pushes the boundary of modern network technology, we must also develop the security tools and strategies that are most effective for monitoring the WAN to prevent DDoS attacks for a next-generation network architecture. Specifically, this includes research issues of disambiguating very large science flows from malicious attacks, and developing mechanisms and tools for DDoS detection that can integrate this knowledge.
While commercial DDoS tools and services exist to mitigate DDoS attacks to certain extents, and within typical enterprise and service provider networks, the effectiveness of those tools is extremely limited. ESnet transits all types of traffic, from ordinary websites and email to massive scientific data sets, thus DDoS protection targeting multiple facets of the network stack is required. Since commercial tools are typically and almost exclusively focused on commercial enterprise traffic, research on both detecting and mitigating DDoS is still deemed as essential as demonstrated by the interest of numerous other organizations funding R&D efforts in this space, including NSF, DARPA’s “Extreme DDoS Defense (XD3),” and others. However, most research [BBHkc09,MR04] and commercial service products target protection for individual sites, not entire WANs, let alone WANs carrying large volumes of scientific traffic. Since it is ESnet’s responsibility to protect availability for the entire ESnet WAN, this raises both the importance and value of blocking attacks earlier, before they reach individual DOE Sites.
A focus in the DOE space is ESnet’s ability to inform DDoS identification techniques with additional information sources to reduce the likelihood of false positives. WAN level detection algorithms can be bolstered by information provided by DDoS detection information provided by the Sites to confirm positive DDoS detection. On the opposite front, pre-defined network circuit reservations (as are available through OSCARS) can help identify a large flow as being scientific data rather than a malicious attack. The DOE is in a unique position to perform the research necessary to take a very different approach from both commercial services as well as the research approaches pursued by funding agencies other than DOE.
This project is supported by the US Department of Energy’s iJC3 Cyber R&D program
DDoS Detection Source Code at GitHub
Publications resulting from this project:
Chang Liu, “Network Monitoring and Security Enhancement in Software-Defined Networking,” Ph.D Dissertation, University of California, Davis, Department of Electrical and Computer Engineering, May 2019. (Advisor: Prof. Chen-Nee Chuah.)
Software resulting from this project:
LBNL DDoS Detection on Science Networks
More information is available on other Berkeley Lab R&D projects focusing on cybersecurity in general, as well as specifically on cybersecurity for scientific and high-performance computing.