Mirage: Towards Deployable DDoS Defense for Web Applications

TL;DR

Mirage is a practical DDoS defense protocol that leverages existing router functionality and IP address randomization to enhance deployability and effectiveness for web applications.

Contribution

Mirage introduces a deployable DDoS mitigation protocol that requires minimal infrastructure changes and employs IP address hopping for improved security.

Findings

Comparable performance to existing schemes

Effective in simulations and PlanetLab prototype

Requires only existing router functionality

Abstract

Distributed Denial of Service (DDoS) attacks form a serious threat to the security of Internet services. However, despite over a decade of research, and the existence of several proposals to address this problem, there has been little progress to date on actual adoption. We present Mirage, a protocol that achieves comparable performance to other DDoS mitigation schemes while providing benefits when deployed only in the server's local network and its upstream ISP, where local business objectives may incentivize deployment. Mirage does not require source end hosts to install any software to access Mirage protected websites. Unlike previous proposals, Mirage only requires functionality from routers that is already deployed in today's routers, though this functionality may need to be scaled depending on the point of deployment. Our approach is that end hosts can thwart the attackers by employing the principle of a moving target: end hosts in our architecture periodically change IP addresses to keep the attackers guessing. Knowledge of an active IP address of the destination end host can act as an implicit authorization to send data. We evaluate Mirage using theoretical analysis, simulations and a prototype implementation on PlanetLab. We find that our design provides a first step towards a deployable, yet effective DDoS defense.