Mitigating DRDoS Network Attacks via Consolidated Deny Filter Rules

This article is concerning distributed reflection denial of service (DRDoS) attacks. These DRDoS
attacks are more frequent and large scale, and are one of the biggest threats on the Internet. This paper
discusses the best way to defend from these attacks using public cloud defenses, such as Amazon
AWS, Google GCP, and Microsoft Azure, at a very low cost. Our mitigation strategy takes advantage
of the fact that the attacker does not have full control to change the source IP port to anything they
want, when used in these reflective attacks. We propose to have the customer host their Web servers
and other types of supporting servers in the public cloud. The cloud provider then reserves a /CIDR
block of IP addresses, which will be protected. The cloud providers customers who opt in, will be
allocated an IP address from this block. This block will be used as the source IP address deny portion
of the firewall rule-sets. Then the public cloud providers will use BGP4 Flow-Spec or some scripting
solution, to have their IP service provider neighbors perform the actual filtering of the DRDoS attack
traffic concerning attacks against these servers.