So far, no mechanism can defeat the DDoS attacks entirely. A common DDoS defense approach is to redirect the whole traffic to scrubbing centers, e.g., CloudFlare, for filtering [10], [65]. However, this method also causes tedious network delays, wasteful expenditures of resources and excessive network footprints, even if it can help to mitigate the attack magnitude significantly before the attacks reach the victims. In mobile networks, UEs may frequently move around various locations, and variation in traffic behavior complicates the judgment about whether the traffic from a source is associated with a DDoS attack [58]. Consequently, traditional anti-DDoS techniques based on traffic models for fixed networks are not highly effective for mobile networks. Moreover, the limited battery supply in mobile devices can significantly limit the ability of the in-device detection engines running in the background because the resident programs often consume much energy and memory space. Moreover, the injected-malware applications may only send several like-legitimate requests per seconds and that low-rate attacks causes tremendous difficulties for the existing outgoing-bandwidth-based detection methods. Importantly,
most mobile devices may not stop at a fixed place during their data transmission but constant movement. As a result, tracking traffic at the mobile base stations is unlikely feasible, if not impossible. Finally, due to the large scale of mobile users, only a small part of billions of these mobile devices injected malware can create an extremely devastating DDoS traffic that can consume the bandwidth of the largest networks, e.g., up to several terabits per seconds. We believe that the processing capacity of any destination-based DDoS detection methods unlikely endures the intensity of such attacks.
For simplicity, based on the classification of the attacks above, we also categorize the DDoS defense approaches into two types as follows:
1. Spoofing DDoS defense: Ingress and egress filtering are the conventional approaches to be widely deployed to prevent spoofing attacks. However, such filtering can break some types of special services, such as Mobile IP. IP traceback, reverse path filtering [10], [65] on wired networks can overcome this shortcoming, but they rely on the cooperation of all the routers in the packet path, which is usually impractical and non-economical to implement in legacy networks.
2. Non-spoofing DDoS defense: Based on several recent studies [10], [58], we classify defense methods by deployment location: source-based, destination-based, network- based, and hybrid-based mechanisms, as shown in Fig. 4.1.2. The source-based methods aim to detect and filter the attack traffic at the attack sources, but they are not entirely effective due to the lack of aggregated traffic for classification. A destination-based method is deployed near the target. and usually has a higher detection rate than a typical source-based mechanism. In large-scale DDoS attacks, the destination-based approach is often too late to protect legitimate access because the massive attack traffic may congest the incoming link to the victim. A network- based solution mechanism is deployed at intermediate routers, but the shortage of sufficient aggregated traffic and misunderstanding of the real target may decrease the motivation for deployment. We believe that the closer the defense is to the target, the more accurately the defense can detect the attack traffic but the less they satisfy the goal of DDoS defense. To overcome the pros of a single-node approach, a hybrid-based approach combines the analytical capabilities of distributed DDoS filters to improve the efficiency of the whole system. Thus, a hybrid DDoS defense system is the most preferable means for protecting against DDoS attacks in IoT.
A detail of the state-of-the-art defense approaches can be found in [61], [68]–[70] and a
Figure 4.1.2: Classification of the DDoS defense mechanisms based on their deployment location. The closer the defense is to the target, the more accurately the defense can detect the attack traffic but the less they satisfy the ultimate goal of DDoS defense.
brief of several featured methods at the time of our research is listed in Table 4.1.2. To the best of our knowledge, no defense method targets to collaborate the learning information from multiple detection engines for improving the DDoS detection precision in cellular networks, particularly on mobility users. Another challenge in the cellular networks is to build the near-source detectors without modifying the well-established network protocols.
As we described in Chapter 2, MEC will be a vital part of the future cellular infrastructure, i.e., 5G, in which MEC-based servers are attached in the proximity of cellular base stations to address a wide range of use cases. In this case, by integrating the source-based detectors running on MEC servers, our system can entirely support the advanced filtering mechanism without modifying current forwarding or routing protocols. The conceptual MEC architecture is illustrated in Fig. 4.1.3. Moreover, due to the advantage of MEC deployment location, the built-in detection engines can help to filter out DDoS flooding attacks near sources and for multiple slices (mobile networks are one of three slices of 5G IoT networks); thus address our first and third goal (as mentioned in Chapter 1). At
Table 4.1.2: Overview of several featured works on the collaborative DDoS defense approach in recent years and the position of our work
The work Year Contributions Shortcomings
K.Lu et al. [22] 2014 A robust collaborative DDoS defense for ISP networks
For wired networks, no spoofing filter, no mobility supports
S.T. Zargar [10] 2015 An overview of the state-of-the-art
of DDoS defense approaches For wired networks, no mobility and data aggregation supports Zilberman et al.
[65] 2017 A centralized DDoS filtering No spoofing filter, excessive network footprints,
high computation Jazi et al. [66] 2017 Non-parametric CUSUM-based
DDoS defense, Traffic distribution sampling methods
No collaboration, no spoofing filter, no mobility support Hong et al. [67] 2018 SDN-assisted DDoS defense,
Traffic distribution for SDN networks
Centralized approach, no spoofing filter, no mobility support
Our work 2018
A competitive collaborative DDoS defense for mobile networks , supporting MEC and mobility UEs,
few network footprints. . .
Only evaluate for mobile networks, extra bandwidth for aggregation
the time of writing, our work is the first attempt to support the collaborative detection approach that combines both edge-based and network-based filtering mechanisms.