© 2017 1

A Blockchain-based Architecture for Collaborative DDoS Mitigation with Smart

ContractsBruno Rodrigues1, Thomas Bocek1, David

Hausheer2, Andri Lareida1, Sina Rafati1, Burkhard Stiller1

1Communication Systems Group (CSG)Department of Informatics (IfI)

University of Zurich (UZH)

2P2P System Engineering LabDepartment of Electrical Engineering and

Information TechnologyTU Darmstadt

© 2017 2

DDoS Recent Attacks29.11.2016

31.01.2017

24.01.2017 03.01.2017

06.01.2017

© 2017 3

• Attacks are getting bigger

• Akamai reports a 138% yearly increase in total DDoS attacks larger than 100 Gbps; 71% in total DDoS

attacks.

DDoS Attacks (1)

Bleeping Computer (Leet bootnet)

Dec. 2016

IoT NewsNov. 2016

AkamaiQ3/2016

© 2017 4

• Attacks are becoming more sophisticated and more frequent

DDoS Attacks (2)

Imperva2016

“Identifying layer 7 attacks requires an understanding of the underlying application. It also requires proper differentiation between malicious bot traffic, regular bot traffic (such as search engine bots), and human traffic”

AkamaiQ3/2016

“In a DNS amplification attack, an attacker can send 1 Gbps of initial traffic, and 100 Gbps is delivered to the target” Incapsula

© 2017 5

• Traditional scenario of DDoS mitigation• Defense in a single domain

• Attacks are getting bigger and more sophisticated• Opportunity for collaborative-defense mechanisms

DDoS Mitigation

AS1 AS2 AS3Attack

Atta

ck

Victim

Attacker

Attacker

DDoS Defense mechanism

Atta

ck

Attacker

AS3 detect the attackbut gets overloaded

AS1 and AS2 do not detectthe attack

Attack Attack

© 2017 6

Benefits:• Allows to combine defense capabilities of different ASes• Reduce the burden of detection/mitigation in a single domain• Allows to block malicious traffic near its source• Can reduce response time

Collaborative DDoS Defense

AS1 AS2 AS3

Gossip-based protocol

Attack

Attack

AttackAttack

AttackAttack

Defense capabilities

AttackAttack

Attack

Attack

Send/receive Attack info

© 2017 7

Collaborative DDoS Defense

• IETF (draft) DOTS (DDoS Open Threat Signaling): standardization of an architecture and

protocol covering both intra-organization and inter-organization communications for advertising

DDoS attacks.

• IETF 2016

• Steinberger et al., proposes an advertising protocol based on FLEX (Flow-based Event

eXchange) to simplify the protocol integration and deployment into existing equipment.

• NOMS 2016

• Sahay et al., SDN-based collaborative framework which allows the customers to request DDoS

mitigation from ASes. Requires an SDN controller at customer side interfaced with the AS.

• NDSS (Network and Distributed System Security) 2015

• CoFence, cooperation between domains that implements VNFs to alleviate DDoS attacks by

redirecting and reshaping excessive traffic to other collaborating domains for filtering.

• CNSM 2016

© 2017 8

• IETF DOTS: Architecture for inter-organization DDoS protection

• Complex architecture and deployment• Main asset: standardization power

Collaborative DDoS Defense

Ongoing IETF DOTS drafts

1 - DOTS requirements2 - DOTS proposal3 - DOTS architecture

© 2017 9

• Decentralized and immutable ledger; no central repository or single administrator.• Full decentralization, enabling trust among non-trusted peers.

• Holds and reports numbers of every transaction ensuring transparency.• Available to everybody, so transactions are public.

Smart contracts are a piece of software made to facilitate the negotiation or performance a contract, being able to be executed, verified or enforced on its own.

• Self-executing and immutable code stored on the blockchain

Blockchain and Smart Contracts

© 2017 10

Proof of Work (PoW)

Pool of Transactions

Blockchain and Smart Contracts

Block Block Block

Transactions

Hash previousblock header

Data

Hash previousblock header

Data

Hash previousblock header

Data

Header Header Header

Miners

TransactionsTransactions

5. Broadcast data

Transactions

Miners Miners

Blockchain Users

1. submit transactions

2. collect transactions

4. solve PoW 3. execute smart contract

© 2017 11

• Blockchain users: Autonomous Systems (ASes or customers)

• Transaction: composed by a list of addresses either to be explicitly allowed (whitelist) or blocked (blacklist) d immutable code stored on the blockchain

• Smart contracts: comprises the logic to report IP addresses in the blockchain and proof the authenticity of the entity is reporting the IP list.• For the customer the certificate can be created with an automated challenge-

response system.

Header

Blockchain and Smart Contracts AppliedTo Collaborative DDoS Mitigation

ASes

CustomersList of

addresses

Report

Transaction

Miner

Smart Contract

Collect Broadcast

Blockchain

Retrieve

© 2017 12

Advantages:• Public and already available technology • Appliances to read/write in the blockchain are easy to integrate to existing solutions• Can be used as an additional security mechanism without modifying existing ones

• Independent of security policies and mechanisms• Customer can also report attacks

Blockchain-based Collaborative Defense

AS1 AS2 AS3

Attack

Attack

AttackAttack

AttackAttack

AttackAttack

Attack

Attack

Send/receive attack info

Block

Data

Block

Data

Block

Data

Block

Data

Block

Data

Block

Data

Customer

Block

Data

Block

Data

© 2017 13

Blockchain-based Collaborative Defense

• A new block is mined at every 14 seconds in Ethereum

• Either ASes and verified customers can report/retrieve IP addresses to the blockchain

• Ether black and whitelisted IP addresses are supported

• The “gossip-logic” is implemented in Smart Contracts

Ethereum blockchain

© 2017 14

Blockchain-based Collaborative Defense

• Either the AS or customers can create contracts; customers need to be certified in order to report addresses.

• Smart contracts are linked using a registry-type entry so whenever a new list is reported, other contracts are updated.

• Smart contract data can use an URL to point

to a list of addresses.

© 2017 15

Smart Contract code:Collaborative approach with a few lines of code

© 2017 16

Summary and Future Work

• Summary• Blockchains reduce the complexity of collaborative DDoS mitigation

approaches by replacing existing gossip-based architectures/protocols by an already available infrastructure.

• Solution presents low development complexity (less than 100 lines of code).

• Easy to integrate, it can be deployed as an additional security mechanism. Existing security mechanisms and policies do not need to be modified in ASes.

• Future work• Investigate detection and enforcement details based on the combination of

SDN and NFV technologies. • SDN enables the enforcement of customizable security policies and

services.• NFV-enabled blockchain appliance able to report and retrieve IP

addresses and request traffic changes to an SDN controller.

© 2017 17

Discussion

• Reasonable approach?

• Could this be deployed at an ISP?

• Fed4Fire?

© 2017 18

References

• K. Nishizuka, L. Xia, J. Xia, D. Zhang, L. Fang, and C. Gray. 2016. Inter-organization

cooperative DDoS protection mechanism. Draft. https://tools.ietf.org/html/draft-

nishizuka-dots-inter-domain-mechanism-02 IETF Draft.

• Steinberger, J., Kuhnert, B., Sperotto, A., Baier, H., Pras, A. (2016, April). Collaborative

DDoS defense using flow-based security event information. In Network Operations and

Management Symposium (NOMS), 2016 IEEE/IFIP (pp. 516-522).

• Bahman Rashidi and Carol Fung. 2016. CoFence: A Collaborative DDoS Defence Using

Network Function Virtualization. In 12th International Conference on Network and

Service Management (CNSM), 2016. IEEE.

• Sahay, R., Blanc, G., Zhang, Z., & Debar, H. (2015). Towards Autonomic DDoS

Mitigation using Software Defined Networking. NDSS Workshop on Security of

Emerging Networking Technologies, Feb 2015, San Diego, Ca, United States.