Conditional disclosure of encrypted whitelists for DDoS attack mitigation

Defensive techniques against Internet-scale attacks can significantly benefit from sharing network security data among different domains. One compelling example, proposed in this paper, is the case of whitelists for DDoS mitigation, where domains broadcast, for each possible DDoS target (!), the set of legitimate customers (client IP addresses) whose traffic should not be blocked while a DDoS attack is in progress. However, such a fine-grained whitelist sharing approach appears hardly appealing (to say the least) to operators; not only the indiscriminate sharing of customers´ addresses raises privacy concerns, but also it discloses, to competitor domains, business critical information on the identity and activity of customers. In a previous work, we proposed a cryptographic approach called “conditional data sharing”, devised to permit disclosure of cross-domain shared fine-grained organized subsets of network monitoring data, only when a threshold number of domains are ready to reveal their data. In this paper, we cast such technique to a realistic scenario of whitelist sharing for DDoS mitigation, and we significantly extend the underlying cryptographic approach so as to support disclosure not only for threshold-based policies, but for more general (monotone) access structures.