Distributed Denial of Service (DDoS) attacks are difficult to solve through traditional methods. Traditional methods tend to filter out both legitimate traffic and the offending DDoS traffic at the same time. There are techniques which filter traffic by removing the offending traffic and forwarding the legitimate traffic by using high performance in-line traffic policers. Here, all the traffic intended for a potential DDoS victim need to be processed. The techniques presented herein propose method to handle DDoS attack using Hyperledger where-in the Firewall/NetFlow analyser/Edge Router detect the DDoS attack and report back to the "source" about the attack vector (e.g., destination IP, source IP, destination port etc.,) along with valuable flow and application layer information. Also map attack vector to the Distribution Denial of Service Segmentation ID (DDoS SID), so that SR router at the source itself identify the offending traffic stream and flag as suspicious with the DDoS SID at the entry points of the network. Based on the DDoS SID, the traffic would be redirected to traffic policer for further processing. Other traffic flows proceed unchanged through the network. To reduce false positives (i.e., initially suspicious traffic is labelled with DDoS SID, but after passing through the "traffic policer", found to be legitimate traffic flow.) "Traffic policer" updates DDoS traffic statistics to the Hyperledger and periodically Firewall/Edge Router learn and adopt to remove legitimate traffic being labelling with DDoS SID. As redirection and filtering such DDoS traffic occurs very early at the entry point, i.e., before suspicious traffic reaches the attack segment, hence limiting the attack surface.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
M M, NIRANJAN, "METHOD TO COUNTER DISTRIBUTED DENIAL OF SERVICE ATTACK IN SEGMENT ROUTING USING HYPERLEDGER", Technical Disclosure Commons, (March 17, 2022)