Network providers either attempt to handle massive distributed denial-of-service attacks themselves or redirect traffic to third-party scrubbing centers. If providers adopt the first option, it is sensible to counter such attacks in their infancy via provider collaborations deploying distributed security mechanisms across multiple domains in an attack path. This motivated our work presented in this paper. Specifically, we investigate the establishment of trusted federations among adjacent and disjoint network domains, that is, autonomous systems (ASes) that collectively mitigate malicious traffic. Our approach is based on Distributed Ledger Technologies for signaling, coordination, and orchestration of a collaborative mitigation schema via appropriate blockchain-based smart contracts. Reputation scores are used to rank ASes based on their mitigation track record. The allocation of defense resources across multiple collaborators is modeled as a combinatorial optimization problem considering reputation scores and network flow weights. Malicious flows are mitigated using programmable network data paths within the eXpress Data Path (XDP) framework; this enables operators with enhanced packet processing throughput and advanced filtering flexibility. Our schema was implemented in a proof-of-concept prototype and tested under realistic network conditions.

中文翻译：

---

通过基于区块链的网络提供商协作协调 DDoS 缓解

网络提供商要么尝试自己处理大规模分布式拒绝服务攻击，要么将流量重定向到第三方清理中心。如果提供商采用第一种选择，明智的做法是通过提供商协作在攻击路径中跨多个域部署分布式安全机制来应对此类攻击。这激发了我们在本文中提出的工作。具体来说，我们研究了在相邻和不相交的网络域之间建立可信联盟，即共同减轻恶意流量的自治系统 (AS)。我们的方法基于分布式账本技术，用于通过适当的基于区块链的智能合约来发送、协调和编排协作缓解模式。声誉分数用于根据缓解跟踪记录对 AS 进行排名。跨多个合作者的防御资源分配被建模为考虑声誉分数和网络流量权重的组合优化问题。使用 eXpress 数据路径 (XDP) 框架内的可编程网络数据路径来缓解恶意流；这使运营商能够增强数据包处理吞吐量和高级过滤灵活性。我们的模式在概念验证原型中实现，并在现实网络条件下进行了测试。使用 eXpress 数据路径 (XDP) 框架内的可编程网络数据路径来缓解恶意流；这使运营商能够增强数据包处理吞吐量和高级过滤灵活性。我们的模式在概念验证原型中实现，并在现实网络条件下进行了测试。使用 eXpress 数据路径 (XDP) 框架内的可编程网络数据路径来缓解恶意流；这使运营商能够增强数据包处理吞吐量和高级过滤灵活性。我们的模式在概念验证原型中实现，并在现实网络条件下进行了测试。