Umbrella: Enabling ISPs to Offer Readily Deployable and Privacy-Preserving DDoS Prevention Services

Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. However, recent industrial interviews involving over 100 interviewees from more than 10 industry segments that are vulnerable to DDoS attacks indicate that this problem has not been fully addressed. On one hand, little progress has been made on the real-world deployment of many academic proposals. On the other hand, the operation model for existing DDoS-prevention service providers (e.g., Cloudflare, Akamai) is privacy invasive for large organizations (e.g., government). In this paper, we npresent Umbrella, a new DDoS defense mechanism enabling ISPs to offer readily deployable and privacy-preserving DDoS prevention service to its customers. In its design, Umbrella develops a multi-layered defense architecture: (i) the flood throttling layer stops amplification-based DDoS attacks; (ii) the congestion resolving layer enforces congestion accountability by punishing flows continuously injecting packets in face of congestive losses; (iii) the user-specific layer allows the DDoS victim to enforce selfinterested traffic policing rules during attack mitigation. Based on Linux implementation, we demonstrate that Umbrella is capable to deal with large scale attacks involving millions of attack flows and introduces negligible packet processing overhead. Further, our real testbed experiments and large scale simulations prove that Umbrella is effective to mitigate volumetric DDoS attacks.