Abstract

Our research problem is that there are a large number of successful network reflection DDoS attacks. Via a UDP Reflection Attack, an attacker can send just 1 Gb/s of payload to innocent servers, and it is these servers which then can send over 4,600 times the payload to the victim! There are very expensive and complex solutions in use today, however most all of these on premise solutions can be easily circumvented. The academic community has not adequately addressed this research problem. We have created a new Internet services network security surface attack mitigation methodology. Our novel design patterns will help organizations improve the price/performance of their anti-network reflection solution by 100 times, as compared to common on premise solutions. Our analysis and results confirm that our solution is viable. Our novel solution is based on stateless IP packet header filtering firewalls (which can be implemented mostly in hardware due to their simplicity). We have reduced and in some cases eliminated the need for researchers to even try and find new ways to filter the same traffic via more complex, software driven stateful solutions.