There’s a new twist in the never-ending cat-and-mouse game between hackers and hosting companies – although, of course, it’s really not a game. Providers face the constant, serious thread of DDoS (Distributed Denial of Service) attacks, which are relatively simple and inexpensive to launch, but whose severity has increased dramatically over the last few years. These malicious attacks often cause serious network downtime and massive financial losses, and they’re difficult to defend against because they don’t require impressive hacking skills, just a large flood of traffic.
New innovations has allowed remote DDoS protection of up to 500 Gbps attack but there’s a new, promising strategy for DDoS protection, recently unveiled by security experts at George Mason University in the magazine IEEE Computer. They call it “shuffling,” but that simple term really describes a sophisticated new method of quickly changing client’s server assignments to mitigate the effects of being DDoS’d and find the source of the attack.
The DDoS protection tool the George Mason researchers developed is called MOTAG, short for “moving target defense mechanism.” It’s a method of rapidly “moving” secret internal proxies between network locations and changing clients’ proxy assignments, in the event of an attack. MOTAG uses what’s called a “greedy shuffling algorithm” to use the optimal number of proxies required to quickly isolate the DDoS attack without disrupting service. In effect, it makes a targeted server a “moving target.”
Bear in mind that a DDoS attack involves a huge influx of traffic coming into a server, so the key is figuring out exactly where the traffic is coming from. In layman’s terms, here’s what MOTAG does once an attack begins. Clients whose servers aren’t being targeted retain their static connections, while all of those connected to a server under attack are labeled as “suspicious.” After that, all suspicious clients are quickly reassigned to new server nodes in different locations.
Those whose new connections are no longer causing a problem will then be labeled as “safe” and left alone; the clients who are still apparently involved in the attack will continue to be shuffled to new servers, until MOTAG is able to pinpoint the sources of the malicious traffic and quarantine them on servers where they can’t affect the rest of the network.
Benefits of MOTAG
MOTAG presents a solution which is both quick and efficient in blunting the effect of most “normal” DDoS attacks.
Experiments run by the George Mason researchers show that MOTAG is able to make each proxy switch in less than a second, which they say does not cause major service disruptions except for some real-time applications. This approach is noticeably faster than any previous DDoS protection scheme.
It’s also an efficient tool because it does not require manual detective work by administrators and does not affect service for “innocent” clients, only switching connections for those considered suspicious. And since the system keeps most proxy node IPs secret, MOTAG makes it easier to identify DDoS attacks made possible by insiders providing information to external attackers.
The one potential drawback to MOTAG is that it requires a number of servers in geographically-distributed locations. However, today’s relatively low cost of resources, particularly with the availability of cloud servers, makes MOTAG a very promising weapon for DDoS protection.