# Umbrella: Enabling ISPs to Offer Readily Deployable and   Privacy-Preserving DDoS Prevention Services

**Authors:** Zhuotao Liu, Yuan Cao, Min Zhu, Wei Ge

arXiv: 1903.07796 · 2019-04-09

## TL;DR

Umbrella is a practical, multi-layered DDoS defense system for ISPs that offers deployable, privacy-preserving protection against diverse attacks with minimal overhead, validated through real-world experiments.

## Contribution

It introduces a novel multi-layered DDoS defense architecture enabling ISPs to deploy effective, privacy-preserving mitigation services with demonstrated scalability and low overhead.

## Key findings

- Handles large-scale attacks with millions of flows
- Imposes negligible packet processing overhead
- Proven effective through physical testbed and simulations

## Abstract

Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. However, recent industrial interviews with over 100 security experts from more than ten industry segments indicate that DDoS problems have not been fully addressed. The reasons are twofold. On one hand, many academic proposals that are provably secure witness little real-world deployment. On the other hand, the operation model for existing DDoS-prevention service providers (e.g., Cloudflare, Akamai) is privacy invasive for large organizations (e.g., government). In this paper, we present Umbrella, a new DDoS defense mechanism enabling Internet Service Providers (ISPs) to offer readily deployable and privacy-preserving DDoS prevention services to their customers. At its core, Umbrella develops a multi-layered defense architecture to defend against a wide spectrum of DDoS attacks. In particular, the flood throttling layer stops amplification-based DDoS attacks; the congestion resolving layer, aiming to prevent sophisticated attacks that cannot be easily filtered, enforces congestion accountability to ensure that legitimate flows are guaranteed to receive their fair shares regardless of attackers' strategies; and finally the userspecific layer allows DDoS victims to enforce self-desired traffic control policies that best satisfy their business requirements. Based on Linux implementation, we demonstrate that Umbrella is capable to deal with large scale attacks involving millions of attack flows, meanwhile imposing negligible packet processing overhead. Further, our physical testbed experiments and large scale simulations prove that Umbrella is effective to mitigate various DDoS attacks.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1903.07796/full.md

## Figures

23 figures with captions in the complete paper: https://tomesphere.com/paper/1903.07796/full.md

## References

39 references — full list in the complete paper: https://tomesphere.com/paper/1903.07796/full.md

---
Source: https://tomesphere.com/paper/1903.07796