finish DDoS protection section

jonniesweb · Dec 15, 2016 · 4b43b1a · 4b43b1a
1 parent f669a8c
commit 4b43b1a
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/honours-project.tex b/honours-project.tex
@@ -774,9 +774,13 @@ \subsubsection{Access Control}
 \subsubsection{Denial of Service Protection}
 
 
+Proactive testing of the security of systems and implementing basic security mechanisms for databases, applications, and other services help prevent loopholes from being found and exploited by attackers. DDoS attacks can be handled using a number of methods. Running an Intrusion Detection System (IDS) can verify network requests before they reach the cloud servers. Extra network bandwidth can cope with the increase in bandwidth caused by the DDoS. Additionally, having backup IPs can still allow access to critical resources.
 
+The authors in \cite{jin2003hop} present an industrial solution to DDoS attack prevention called hop count filtering where spoofed IP packets are filtered out of the incoming network requests based on the time to live (TTL) information of incoming packets. An IP to hop count table is built to compare the expected number of hops for a given IP range. Spoofed incoming packets will often have a different hop count than the expected number of hops. This method has shown to reduce the DDoS attack by 90\%.
 
+Another method is introduced in \cite{bakshi2010securing} where an IDS monitors the traffic flows coming into VMs. When a traffic spike occurs the IDS checks that the senders are acknowledging their connections. If no acknowledgement happens a honeypot pings the suspicious IP address. No reply from the ping request signifies a DDoS attack. The attacker IP addresses are blocked and the VM is migrated to a different datacentre.
 
+Bohatei \cite{fayaz2015bohatei} is the name of a mechanism which uses software defined networking (SDN) and network functions virtualization (NFV) to flexibly and elastically defend against DDoS attacks. CSPs can add Bohatei to their network to dynamically filter and block DDoS attacks directed towards their CSUs. The authors show that many different attack types can be mitigated within one minute and can handle up to 500 Gbps of bandwidth.
 
 
 \subsubsection{Third Party Audit}
@@ -786,6 +790,7 @@ \subsubsection{Third Party Audit}
 
 
 
+
 % encryption, access control, third-party audit, isolation, TPM, trust, DoS protection, malicious insiders
 
 

diff --git a/research.bib b/research.bib
@@ -1130,3 +1130,29 @@ @inproceedings{yu2010achieving
   year={2010},
   organization={Ieee}
 }
+
+@inproceedings{fayaz2015bohatei,
+  title={Bohatei: Flexible and elastic DDoS defense},
+  author={Fayaz, Seyed K and Tobioka, Yoshiaki and Sekar, Vyas and Bailey, Michael},
+  booktitle={24th USENIX Security Symposium (USENIX Security 15)},
+  pages={817--832},
+  year={2015}
+}
+
+@inproceedings{jin2003hop,
+  title={Hop-count filtering: an effective defense against spoofed DDoS traffic},
+  author={Jin, Cheng and Wang, Haining and Shin, Kang G},
+  booktitle={Proceedings of the 10th ACM conference on Computer and communications security},
+  pages={30--41},
+  year={2003},
+  organization={ACM}
+}
+
+@inproceedings{bakshi2010securing,
+  title={Securing cloud from ddos attacks using intrusion detection system in virtual machine},
+  author={Bakshi, Aman and Dujodwala, Yogesh B},
+  booktitle={Communication Software and Networks, 2010. ICCSN'10. Second International Conference on},
+  pages={260--264},
+  year={2010},
+  organization={IEEE}
+}