Scientific summary

The goal of this project is to develop an architecture to detect and mitigate Distributed Denial of Service (DDoS) attacks on public organizations such as schools. Since summer 2013 the number of such attacks has increased rapidly, primarily due to availability of booters, i.e., web-based facilities that offer “DDoS-as-a-service”. Booters find their origins within the Internet gaming community, and can be used for a few euros by people without any technical skills. Since booters use general Internet services such as DNS and NTP to amplify their attacks, they can operate without an underlying botnet.

Although DDoS attacks are well-known in literature, it took the Wikileaks “operation payback” (2010) until the general audience understood the potential power of such attacks. Since then we’ve witnessed attacks on banks and crucial Internet services; some of these attacks even reached traffic peaks of 400 Gbps. Since summer 2013 the Dutch Research Network provider (SURFNet) sees a trend that students use booters to attack schools, often at times of exams. Also other public organizations and services, e.g., tax offices, DigiD, municipalities, hospitals are increasingly being targeted.

The novel approach of this project is to detect DDoS attacks at an early stage, within the core network. The scientific contribution is in two areas. First, Software Defined Networking (SDN) principles (OpenFlow) will be applied to divert at an early stage attack traffic towards filtering systems that employ sophisticated anomaly detection mechanisms (e.g., HMM and SVM). Second, business modeling will be an integral part of the research, including economic, regulatory and ethical aspects.


By its very nature, this project is of a pronounced multidisciplinary nature. The topic of our research is computer science oriented, with a particular focus on networking and cyber-security. However, beside researching and developing technical solutions for the problem of DDoS defense, we will also investigate the economic, regulatory and ethical implications of DDoS attacks and defense on Dutch classes of users such as schools and governmental institu tions. Therefore this project will also cover topics from the business and governance and legal fields. In addition, the member of the research team, in particular the ones associated with the Design and Analysis of Communication System at the University of Twente, will also focus on the ethical considerations related to doing research on Distributed Denial of Service attacks. In this respect, the project will benefit from the collaboration with the Ethical Advisor at the Center for Telematics and Information Technology at the University of Twente, and with the UT Ethical Committee.

Research Approach

The goal of this project is to develop an architecture to detect and mitigate DDoS attacks on public organizations. Our approach is based on the following activities:
  1. Developing of effective solution for in-house DDoS detection and mitigation for protecting schools and the public sector
  2. Investigating the economic and regulatory aspects of DDoS attack defense, and developing appropriate business models
1. DDoS detection and mitigation

Our approach to DDoS defense is built upon the two following steps: early detection, attack mitigation.

Step 1: Early detection Detecting DDoS at the victim side is, for most of the categories of DDoS common nowadays, a quite straightforward task. For example, DDoS reflection and amplification attacks cause in most of the case volumetric anomalies in the traffic profile of the target system. However, questions can be raised about the effectiveness of DDoS detection and mitigation when actions are taken only at the victim side. This is because, once the attack is detected, in most cases little can be done for lessen its effects, since not only the target system would be by then affected, but the attack could also have hinder the functionality of on-site detection and monitoring mechanisms. Often, the target system will put in place mechanisms to protect itself from the attacks, such as for example, instructing firewalls to block offending traffic. However, when attacks with rates in the order of several Gbps take place, mitigation at the target is not effective anymore. This is because the attack traffic is likely to provoke congestions in the entire target network or even in the target’s provider network, consuming most or all the available bandwidth and effectively disconnecting the target system and other users from  the Internet. We propose therefore to perform early detection of DDoS traffic streams closer to the Internet backbone, where the offending traffic is less likely to cause congestions and performance degradation, and appropriate countermeasures can be timely taken. Our approach should satisfy the following characteristics:
  • Effective DDoS detection: DDoS attack traffic detection (and the consequently mitigation action, discussed
    further in this section) needs to take place further away from the target and closer to the Internet backbone. In
    high-layer networks the DDoS attack will be constituted by several attack “streams”, each one of them not yet
    consuming enough bandwidth to hinder the functionality of the transit network.
  • Scalable DDoS detection: We propose to develop an intelligent monitoring and detection infrastructure that
    relies on the following components: i) a set of distributed sensors; and ii) a centralized correlation engine
    aiming at integrating the input of the distributed sensors. In addition, to ensure timely detection, the sensors
    needs to already be able to perform a preliminary data processing and detection step that would result in
    a series of security warnings.
Another advantage of such a monitoring and detection system will be to gather progressive knowledge about the infrastructure used by attackers for DDoS attacks. In the past, we have often seen Botnets as the primary vector of such attacks. Nowadays, several attacks make use of unwillingly co-operating middle-hosts, as in the case of reflection attacks, and little is known about how the attack is started, and how large is the infrastructure that an attacker can misuse (e.g., in the case of booters).

Step 2: Attack mitigation The second step of the proposed research investigate how it is possible to mitigate DDoS attacks in-house, therefore creating a operator-based and possibly nation-based solution against these attacks. In-house DDoS mitigation has the advantage that no privacy-sensitive data are diverted towards data-centers under the control of third-party companies, thus minimizing the risk that un-authorized access is granted to our data. Key aspects to be investigated will be:
  • Clearing mechanisms: DDoS traffic streams are often mixed with legitimate traffic. This is the case, for example, for DNS traffic, or for HTTP requests reaching a Web server. This research will investigate suitable clearing mechanisms for identifying offending traffic and separate it from legitimate one. Possible areas of research related to this topic are traffic classification, anomaly detection and intrusion detection, with associated approaches such as modeling (e.g., Hidden Markov Models), machine learning (e.g., Support Vector Machines), pattern recognition and pattern matching. The proposed solution should be extensible and modular, allowing on-the-fly modification to accommodate specific requests coming for example from the security team of the targeted system.
  • Automatic Isolation and mitigation mechanism: offending traffic, once detected in Step 1, should be isolated from the normal network traffic. Traffic isolation has the goal of minimizing the impact of offending traffic on the overall functioning of the network, and possibly paving the way to more efficient clearing mechanisms. This step should investigate how network management mechanisms that can control the forwarding plane in the considered network can be applied to successfully isolate the traffic to be investigated. Also in this case, such a solution should allow for fast and on-demand reconfiguration. Examples of technologies in this respect are Software Defined Networking (SDN) principles as OpenFlow, network virtualization mechanism, but also Firewalls-as-a-Service and ACLs at the backbone edge routers, e.g., to null-route the attack traffic.
The cornerstone of our approach is the integration of our proposed solution with existing backbone network 
infrastructure, in particular with the typically deployed monitoring mechanisms, such as flow-based solutions (e.g., Cisco Netflow, INVEA-Tech, Juniper). We will be able to do that because of our expertise in on-probe monitoring specifically targeted to flow exporters. Studies have shown that sophisticated correlation of data in flow-based settings, although promising, is not yet addressed properly by current approaches.

2. Business models for DDos defense

Our objective is to develop viable business strategies for governmental organizations and companies that have to deal with DDoS threats. We do not expect that a “one solution fits all” strategy exists. We expect that these strategies depend on the type of business in consideration. The damage DDoS attacks in the considered landscape is not only the financial losses due to diminished turnover, but longer term adverse effects, e.g., loss of user trust due toperformance degradation and data leakage or erosion of privacy due to DDoS defense based on massive rerouting of traffic.

We propose to use business modeling as a means to develop business strategies dealing with DDoS threats. The rise of the Internet in the 1990s drastically changed the way companies create and capture value, and this change as not escaped governmental institutions. At the same time these developments create opportunities for cybercrime, including the DDoS threats, which are subject of this proposal. Research activities on business models increased significantly to better analyze and understand value creation through e-services and e-business. However, business models are rarely used to understand and analyze the vulnerabilities and threats for private companies or for the public sector. We therefore propose to use business modeling as a systematic way to analyze the impact of DDoS threats.

The economic value of a technology remains latent until it is commercialized through a business model. The business model represents the gap between business strategy and business processes. Companies bring technologies to the market through a venture shaped by a specific business model, whether explicitly considered or implicitly embodied in the act of innovation. Osterwalder and Pigneur define business models as the underlying idea of how an organization creates, delivers, and maintains value. According to Morris, Schindehutte and Allen the business model can be used as a central construct in entrepreneurial research. It is in general difficult to decide on a particular business issue or change it, when it is not clearly understood. The strengths of business models lie in efforts to understand businesses by decomposing strategy into a system of inter-related decisions, relationships and organizational boundaries. A weakness of the business model concept is its failure, to date, to accommodate location decisions and internationalization. The business model logically is presented at operational level, since it defines how to execute the strategy, representing the firm’s underlying core logic and strategic choices.

The targeted business strategies have two aspects. The first aspect is the damage a DDoS attack can cause to online entities. The second aspect is the strategic and economic consequences of  countermeasures an entity has to apply to prevent damage due to DDoS attack. Our goal is to investigate these aspects in both a qualitative and quantitative way, taking into consideration the knowledge acquired in the previous steps and the developed defense strategies.

Recently, we have augmented qualitative business modeling with quantitative analysis based on activity based costing in the health care domain. Our objective in this proposal is to conduct a case study with various public organisations and companies vulnerable for DDoS attacks. We build business models to identify the activities and resources that will be impacted by DDoS attacks. We then analyze the consequences for the value propositions offered to the customers, e.g., for the quality of service or protection of personal information. Our quantitative analysis will be used to investigate costs, benefits and risks related to the business of companies threatened by DDoS attacks.