University of Twente Student Theses


Automatic Generation of Access Control List on Mellanox Switch For DDoS Attack Mitigation Using DDoS Fingerprints

Sridhar Bangalore Venugopal, Sridhar Bangalore Venugopal (2019) Automatic Generation of Access Control List on Mellanox Switch For DDoS Attack Mitigation Using DDoS Fingerprints.

[img] PDF
Abstract:A Distributed Denial of Service (DDoS) is an attack that send a large amount of network traffic intending to disrupt online services. A successful DDoS attacks can cause significant impact in terms of financial damage and brand reputation. In 2018, Arbor security reported that forty percent of medium sized organizations protected by them were under frequent DDoS attacks. There are two main techniques to detect and mitigate DDoS attacks: signature-based detection and anomaly-based. The former is more specific and efficient in detecting \textit{known} attacks, while the latter is more generic and capable of detecting new attacks. There are also solutions that combines these two techniques called hybrid-based. The problem is that, in the literature, there is no knowledge transfer from anomaly-based to signature-based solution addresed in this thesis. In other words, attacks detected by the anomaly-based solutions are not used for improving the signature-based (which is known to be faster). This type of improvement is suitable for attacks that happens frequently, for example, attacks performed by a botnet campaign. Our methodology relies on (after an attack is detected by the anomaly-based solution): (1) we collect \textit{enough} samples of attack data, (2) summarize this attack data (called DDoS attack fingerprint), and (3) convert this attack summary into a signature-based solution. We used more than 200 actual attack traces to discover the minimum amount of data that contains \textit{enough} attack information. Then, we propose an algorithm to automatically convert these attack information into Access Control List (ACL) on Mellanox switch (in a production network). Our results shows that the attack mitigation was successful through ACL's, but addition of legitimate IP addresses needs to be minimized. Also, few attacks the source IP addresses were not reduced, because they were widely distributed and for attacks with greater amount of source IP addresses the reduction was bigger. This research was performed at Nationale beheersorganisatie internet providers (NBIP) and some of our choice are in-line with NBIP.
Item Type:Essay (Master)
NBIP, Ede, The Netherlands
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page