Securely Hiding the Real Servers from DDoS Floods

Distributed denial of service (DDoS) attacks still remains as one of the largest concerns for online businesses. Although an HTTPS compatible scheme is necessary for many online services, several previously proposed defense schemes fail to combine both HTTPS compatibility with practicality. In this paper, a novel defense architecture that blocks malicious traffic far from the protected servers is proposed. Protected servers are hidden inside a secure overlay network only accessible through a set of access-nodes (AN) with rate limiting and access control functionalities. Protected servers are required to provide at least one dummy public server as an initial connection step point. An experimental prototype is implemented and tested. Results show; system compatibility with e-commerce websites needs, also, the AN impact on the protected server performance is less than 10% reduction in file transfer throughput, in addition, the public server could survive attack rates more than 10 times higher than an ordinary server. Through discussion we demonstrate the system ability to protect the servers' resources from all attack types without sacrificing data integrity or confidentiality. To the best of our knowledge, we offer the first practical DDoS protection scheme fully compatible with HTTPS.