Defense Against Rapidly Morphing DDOS

Conference:  BlackHat USA 2019



The presentation discusses the use of machine learning in cybersecurity and DevOps to mitigate network and application layer attacks.
  • Machine learning can be used to detect anomalies in network and application layer attacks
  • Anomaly detection can be used to build signatures for intelligent mitigation
  • Intelligent mitigation involves slowing down traffic, dropping bad packets with precise signatures, and rate limiting based on special connections
  • Experiments show that machine learning can effectively defend against network and application layer attacks
The presentation describes an experiment where machine learning was used to defend against network level floods. The results showed that machine learning was able to identify and mitigate the attack within a few seconds, which is an unreachable result for a human. This illustrates the effectiveness of machine learning in cybersecurity.


In June 2018 ProtonMail suffered rapidly morphing sustained DDOS attacks that included Syn Floods, TCP handshake violations, TCP Zero Sequence, ACK floods, NTP non-standard port floods, reflection attacks on SSDP, NTP, Chargen, LDAP and Memcache protocols[1].We created an attack toolkit that mimics the ProtonMail attacks, and used it to study the efficacy of various defenses against an attack like ProtonMail suffered. We discovered that using standard techniques to fight off rapidly changing bursting attacks is near impossible for SOC operators, as speed of human action to understand the attack and apply well known mitigation is too slow. We found that a combination of an unsupervised Machine Learning algorithm to determine a baseline, perform anomaly detection and mitigation, and another Machine Learning algorithm to tune the performance of the first, yielded the most effective defense. With this scheme in place, the SOC operator did not have to react at machine speed but simply monitored the findings and the actions of the machine.References : https://protonmail.com/blog/a-brief-update-regarding-ongoing-ddos-incidents/



Post a comment