DynaShield: Build On-Demand DDoS Defense Architecture with Cloud Services

Professor:   Xiaowei Yang
PhD Student:  Shengbao Zheng

Overview:   Large-scale Distributed Denial of Service Attack (DDoS) is a formidable threat to any online presence. Both industry and academic researchers have proposed various solutions to address the DDoS problem. This body of work falls into two main categories: DDoS-resistant network architectures and protectionas-a-service product provided by companies such as Cloudflare and Akamai. Architectural solutions require many upgrades to the existing Internet and have not been widely deployed. A protection-as-a-service product typically uses a large scale global network as a protective “shield” and directs all its customers’ traffic to this network. This shield network is provisioned to have sufficient capacity to withstand the largest anticipated attack. It is expected to filter out attack traffic before the traffic reaches a customer. Despite their effectiveness, those services can be costly.

DynaShield is an on demand DDoS Defense Architecutre. It is built with cloud services including both serverless fucntions(AWS Lambda) and elastic servers(AWS EC2). During attack times, DynaShield redirects all traffic to this “shield” before it can reach the protected service. Serverless functions can autoscale and are always on, but a customer only pays for the functions get invoked. Elastic server also provides such features but a customer only pays for when it is running. In addition, those cloud services usually provide free raw bandwidth DDoS protection (e.g, AWS Shield). The cloud infrastructure filters out raw bandwidth attack such as UDP flooding and only forward the properly formatted requests to cloud services. Finally, the DynaShield design uses cryptocurrency mining as Proof-of-Work (PoW) to help offset the cost of cloud. In our design, a cryptocurrency PoW is a puzzle that is difficult to solve but easy to verify. During attack times, each client must produce a share of a cryptocurrency PoW before it can reach the server. This PoW can effectively limit the rate of attack traffic and in the meantime, provide a user a chance to earn mining profit.

Publication:  DynaShield: A Cost-Effective DDoS Defense Architecture

Last updated: 03/28/2019