New DDoS Defense Turns Servers Into 'Moving Targets'

The MOTAG system filters innocent clients from nefarious ones.

The distributed denial-of-service (DDoS) attack is the classic cheap hack. It requires virtually nothing of those who wield it beyond the ability to download something from the internet, yet a DDoS offers unusually public consequences (most real security breaches happen in the dark). It is also difficult to defend against, in some part because it doesn't involve actually breaching a network at all—just flooding it with more innocuous-seeming traffic than it can handle.

As described in the current issue of IEEE Computer, security researchers from George Mason University have developed a new defensive strategy that they claim can thwart DDoS attacks through a process of client-server connection "shuffling."

Their tool is dubbed MOTAG and it allows for the reliable segregation of malicious network traffic and normal or benign traffic. Clients connect to the servers as usual, but, by leveraging the excess computing and cloud resources found in many current hosts, MOTAG can quickly reassign clients to different servers based on simple criteria. In this way, and by using some reasonably simple classification rules, bogus traffic can be quarantined.

DDoS attacks take advantage of a basic property of servers, which is that they have a limited pool of connections available at any given time. This can be a very large number of connections, but it remains a finite quantity. Hit the same IP address and port again and again from unique IP addresses and ports, and eventually a line will form at the door, so to speak. The "distributed" part of the denial-of-service (usually) comes when an attacker uses some software to spoof the IP addresses of unwitting computers. (This is a fairly simplified view as DDoS attacks are becoming more and more sophisticated, and even, daresay, clever.)

"Instantiated server nodes can be classified into two groups: relatively static serving server nodes provide more reliable connection services for known innocent clients, while dynamic shuffling server nodes shuffle (reassign) operations to provide intermittent connections to suspicious clients," the George Mason paper explains. "During a DDoS attack, MOTAG will replace the shuffling server nodes with new ones and reassign the associated clients to those new nodes."

So, connections aren't outright denied to untrusted clients, they're just crappier. The effect is of making the host under attack into a moving target while isolating sketchy traffic, thus preserving resources for trusted clients.

Here's how it would work: Prior to a DDoS attack, every server is tagged as trusted. Every incoming client is assigned randomly to one of these servers and a connection is established. If one of these servers comes under attack, MOTAG tags it as such, along with every client currently connected to it. Next, a series of shuffles takes place where, on every shuffle, client-server connections are remade.

Image: George Mason

"After each shuffle, shuffling server nodes with malicious clients will still be under attack because those clients know the nodes' location (for example, IP address)," the researchers explain. "Shuffling server nodes no longer under attack will become serving server nodes, and MOTAG will tag the associated clients as trusted and consider them safe from the ongoing attack."

The system tags clients as untrusted based on whether or not they are connected to a server under attack, even if it doesn't really know they're part of the attack. It then filters out the actually innocent clients (classified by basic criteria such as whether or not they actually respond to the server) by continually reshuffling the across more and more server nodes, until eventually the bad clients have landed onto bad servers and good clients are on good servers. The randomness involved makes it kind of counterintuitive.

A significant catch is that this winds up requiring a lot of extra servers. MOTAG is really only possible given the increasing cheapness of computing resources.

"Even under attack, the protected system will be available to most innocent clients— protecting the organization's reputation, productivity, and revenue," the George Mason researchers conclude. "Because MOTAG identifies malicious users solely by detecting if the server is under attack, attackers can't evade detection by mimicking normal users."