MiddlePolice: Fine-Grained Endpoint-Driven In-Network Traﬀic Control for Proactive DDoS Aack Mitigation ∗ Extended Version for MiddlePolice [40] Published in ACM CCS 2016 Zhuotao Liu University of Illinois at Urbana-Champaign zliu48@illinois.edu Hao Jin Nanjing University jinhaonju@gmail.edu Yih-Chun Hu University of Illinois at Urbana-Champaign yihchun@illinois.edu Michael Bailey University of Illinois at Urbana-Champaign mdbailey@illinois.edu CCS CONCEPTS • Security and privacy → Denial-of-service attacks; Security protocols; • Networks → Transport protocols; Cloud computing; Network resources allocation; 1 ABSTRACT Volumetric attacks, which overwhelm the bandwidth of a destina- tion, are amongst the most common DDoS attacks today. One practi- cal approach to addressing these attacks is to redirect all destination traﬃc (e.g., via DNS or BGP) to a third-party, DDoS-protection-as- a-service provider (e.g., CloudFlare) that is well provisioned and equipped with ﬁltering mechanisms to remove attack traﬃc before passing the remaining benign traﬃc to the destination. An alter- native approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be ef- fective at reducing unwanted traﬃc at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the sched- uling decisions (e.g., fairness, priority and attack identiﬁcation) to the provider, while capability-based solutions require extensive modiﬁcations to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destination-based control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can eﬀectively enforce destination-chosen traﬃc control policies, while requiring no deployment from unrelated parties. Besides the above technical contributions, we also present what we learned through our industrial interviews with more than 100 interviewees from over 10 industry segments that are vulnerable to DDoS attacks. These profound discussions drive us to think what DDoS prevention really means for those who need protection, which may oﬀer useful insight for the community to bridge the gap between academic research and industry practice. 2 INTRODUCTION The Internet provides an open environment in which any host can communicate with any other host. As a result, security services ∗ The initial work is published in ACM CCS 2016, titled MiddlePolice: Toward Enforcing Destination-Deﬁned Policies in the Middle of the Internet [40]. have traditionally been deployed at each host, rather than inside the network, allowing each host to specify its own security policies, in accordance with the end-to-end principle. Unfortunately, traﬃc control cannot be accomplished solely by the end host, because modern traﬃc control algorithms expect the sender and receiver to cooperate to stay within the capacity of each link on the path from the sender to the receiver. Because the Internet does not enforce any ﬂow control require- ments apart from the end hosts, a number of attacks have been de- veloped to overwhelm Internet end systems. The most signiﬁcant of these attacks is the volumetric Distributed Denial-of-Service (DDoS) attack, representing over 65% of all DDoS attacks in 2015 [47]. In a volumetric DDoS, many attackers coordinate and send high-rate traﬃc to a victim, in an attempt to overwhelm the bottleneck links close to the victim. Typical Internet links use RED and drop-tail FIFO queuing disciplines, which provide nearly-equal loss rates to all traﬃc. Consequently, saturated links impose equal loss rates on attacking and legitimate traﬃc alike. While legitimate traﬃc tends to back oﬀ to avoid further congestion, attack traﬃc need not back oﬀ, so links saturated by a DDoS attack are eﬀectively closed to legitimate traﬃc. Recent DDoS attacks include a 620 Gbps attack against Krebs’ security blog [32] and a 1 Tbps attack against OVH [31], a French ISP. One common mitigation to this problem is the use of DDoS- protection-as-a-service providers, such as CloudFlare and Arbor Networks. These providers massively over-provision data centers for peak attack traﬃc loads and then share this capacity across many customers as needed. When under attack, victims use DNS or BGP to redirect traﬃc to the provider rather than their own networks. The DDoS-protection-as-a-service provider applies a variety of techniques to scrub this traﬃc, separating malicious from benign, and then re-injects only the benign traﬃc back into the network to be carried to the victim. Such methods are appealing, as they require no modiﬁcation to the existing network infrastructure and can scale to handle very large attacks. However, these cloud-based systems use proprietary attack detection algorithms and ﬁltering so that they cannot enforce business- or application-driven preferences desired by their customers. Second, because customers cannot know the scrubbing algorithms, false positives may result in the loss of actual customers invisibly to the victim. Finally, existing cloud- based systems assume that all traﬃc to the victim will be routed