Fine-Grained Endpoint-Driven In-Network Traffic Control for Proactive DDoS Attack Mitigation

TL;DR

This paper introduces MiddlePolice, a deployable, proactive DDoS mitigation system that enforces destination-driven traffic control without requiring changes to existing Internet infrastructure, demonstrated through extensive evaluations.

Contribution

MiddlePolice is the first deployable, proactive DDoS prevention mechanism that guarantees delivery of victim-desired traffic using a novel feedback-based traffic control approach.

Findings

Successfully implemented a prototype of MiddlePolice.

Demonstrated effectiveness through extensive Internet and hardware testbed evaluations.

Achieved guaranteed traffic delivery despite attacker strategies.

Abstract

Volumetric attacks, which overwhelm the bandwidth of a destination, are among the most common DDoS attacks today. Despite considerable effort made by both research and industry, our recent interviews with over 100 potential DDoS victims in over 10 industry segments indicate that today's DDoS prevention is far from perfect. On one hand, few academical proposals have ever been deployed in the Internet; on the other hand, solutions offered by existing DDoS prevention vendors are not a silver bullet to defend against the entire attack spectrum. Guided by such large-scale study of today's DDoS defense, in this paper, we present MiddlePolice, the first readily deployable and proactive DDoS prevention mechanism. We carefully architect MiddlePolice such that it requires no changes from both the Internet core and the network stack of clients, yielding instant deployability in the current Internet architecture. Further, relying on our novel capability feedback mechanism, MiddlePolice is able to enforce destination-driven traffic control so that it guarantees to deliver victim-desired traffic regardless of the attacker strategies. We implement a prototype of MiddlePolice, and demonstrate its feasibility via extensive evaluations in the Internet, hardware testbed and large-scale simulations.