Article

Using graphic turing tests to counter automated DDoS attacks against web servers

Authors:
William G. Morein

Columbia University in the City of New York

Columbia University in the City of New York
View Profile

,
Angelos Stavrou

Columbia University in the City of New York

Columbia University in the City of New York
View Profile

,
Debra L. Cook

Columbia University in the City of New York

Columbia University in the City of New York
View Profile

,
Angelos D. Keromytis

Columbia University in the City of New York

Columbia University in the City of New York
View Profile

,
Vishal Misra

Columbia University in the City of New York

Columbia University in the City of New York
View Profile

,
Dan Rubenstein

Columbia University in the City of New York

Columbia University in the City of New York
View Profile

CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityOctober 2003Pages 8–19https://doi.org/10.1145/948109.948114

Published:27 October 2003Publication History

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Pages 8–19

ABSTRACT

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-centric interface, and the extensibility inherent in many browsers through downloadable "applets." We guarantee access to a web server for a large number of previously unknown users, without requiring pre-existing trust relationships between users and the system.Our prototype requires no modifications to either servers or browsers, and makes use of graphical Turing tests, web proxies, and client authentication using the SSL/TLS protocol, all readily supported by modern browsers. We use the WebSOS prototype to conduct a performance evaluation over the Internet using PlanetLab, a testbed for experimentation with network overlays. We determine the end-to-end latency using both a Chord-based approach and our shortcut extension. Our evaluation shows the latency increase by a factor of 7 and 2 respectively, confirming our simulation results.

References

D. G. Andersen. Mayday: Distributed Filtering for Internet Services. In 4th USENIX Symposium on Internet Technologies and Systems USITS, March 2003. Google ScholarDigital Library
L. Amini, H. Schulzrinne, and A. Lazar. Observations from Router-level Internet Traces. In DIMACS Workshop on Internet and WWW Measurement, Mapping and Modeling, February 2002.Google Scholar
S. M. Bellovin. Distributed Firewalls. login: magazine, special issue on security, pages 37--39, November 1999.Google Scholar
W. J. Blackert, D. M. Gregg, A. K. Castner, E. M. Kyle, R. L. Hom, and R. M. Jokerst. Analyzing Interaction Between Distributed Denial of Service Attacks and Mitigation Technologies. In Proceedings of DISCEX III, pages 26--36, April 2003.Google ScholarCross Ref
CCITT. X.509: The Directory Authentication Framework. International Telecommunications Union, Geneva, 1989.Google Scholar
A. Cohen, S. Rangarajan, and J. H. Slye. On the Performance of TCP Splicing for URL-Aware Redirection. In USENIX Symposium on Internet Technologies and Systems, 1999. Google ScholarDigital Library
D. Cook. Analysis of Routing Algorithms for Secure Overlay Service. Computer Science Department Technical Report CUCS-010-02, Columbia University, April 2002.Google Scholar
S. A. Crosby and D. S. Wallach. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 12th USENIX Security Symposium, pages 29--44, August 2003. Google ScholarDigital Library
D. Dean, M. Franklin, and A. Stubblefield. An Algebraic Approach to IP Traceback. In Proceedings of the Network and Dsitributed System Security Symposium (NDSS), pages 3--12, February 2001.Google Scholar
S. Dietrich, N. Long, and D. Dittrich. Analyzing Distributed Denial of Service Tools: The Shaft Case. In Proceedings of USENIX LISA XIV, December 2000. Google ScholarDigital Library
G. Dommety. Key and Sequence Number Extensions to GRE. RFC 2890, September 2000. Google ScholarDigital Library
D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina. Generic Routing Encapsulation (GRE). RFC 2784, March 2000. Google ScholarDigital Library
M. T. Goodrich. Efficient Packet Marking forLArg-Scale IP Traceback. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), pages 117--126, November 2002. Google ScholarDigital Library
L. Heberlein and M. Bishop. Attack Class: Address Spoofing. In Proceedings of the 19th National Information Systems Security Conference, pages 371--377, October 1996.Google Scholar
J. Ioannidis and S. M. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2002.Google Scholar
S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith. Implementing a Distributed Firewall. In Proceedings of Computer and Communications Security (CCS), pages 190--199, November 2000. Google ScholarDigital Library
D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, and D. Lewin. Consistent Hashing and Random Trees: Distributed Caching Protocols for Relievig Hot Spots on the World Wide Web. In Proceedings of ACM Symposium on Theory of Computing (STOC), pages 654--663, May 1997. Google ScholarDigital Library
F. Kargl, J. Maier, and M. Weber. Protecting web servers from distributed denial of service attacks. In World Wide Web, pages 514--524, 2001. Google ScholarDigital Library
S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, Nov. 1998. Google ScholarDigital Library
A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proceedings of ACM SIGCOMM, pages 61--72, August 2002. Google ScholarDigital Library
A. D. Keromytis, J. Parekh, P. N. Gross, G. Kaiser, V. Misra, J. Nieh, D. Rubenstein, and S. Stolfo. A Holistic Approach to Service Survivability. In Proceedings of the ACM Survivable and Self-Regenerative Systems Workshop, October 2003. Google ScholarDigital Library
S. Miltchev, S. Ioannidis, and A. D. Keromytis. A Study of the Relative Costs of Network Security Protocols. In Proceedings of USENIX Annual Technical Conference, Freenix Track), pages 41--48, June 2002. Google ScholarDigital Library
D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22, August 2001. Google ScholarDigital Library
G. Mori and J. Malik. Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA. In Computer Vision and Pattern Recognition CVPR'03, June 2003. Google ScholarDigital Library
C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govindan. COSSACK: Coordinated Suppression of Simultaneous Attacks. In Proceedings of DISCEX III, pages 2--13, April 2003.Google Scholar
K. Park and H. Lee. On the Effectiveness of Route-based PAcket Filtering for Distributed DoS Attack Prevention in Power-law Internets. In Proceedings of ACM SIGCOMM, pages 15--26, August 2001. Google ScholarDigital Library
L. Peterson, D. Culler, T. Anderson, and T. Roscoe. A Blueprint for Introducing Disruptive Technology into the Internet. In Proceedings of the 1st Workshop on Hot Topics in Networks (HotNets-I), October 2002.Google Scholar
S. Ratnasamy, P. Francis, M. Handley, R. Karp, and S. Shenker. A Scalable Content-Addressable Network. In Proceedings of ACM SIGCOMM, August 2001. Google ScholarDigital Library
P. Reiher, J. Mirkovic, and G. Prier. Attacking DDoS at the source. In Proceedings of the 10th IEEE International Conference on Network Protocols, November 2002. Google ScholarDigital Library
S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. In Proceedings of the 2000 ACM SIGCOMM Conference, pages 295--306, August 2000. Google ScholarDigital Library
S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Network Support for IP Traceback. ACM/IEEE Transactions on Networking, 9(3):226--237, June 2001. Google ScholarDigital Library
C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, and D. Zamboni. Analysis of a Denial of Service Attack on TCP. In IEEE Security and Privacy Conference, pages 208--223, May 1997. Google ScholarDigital Library
A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer. Hash-Based IP Traceback. In Proceedings of ACM SIGCOMM, August 2001. Google ScholarDigital Library
I. Stoica, R. Morris, D. Karger, F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service for Internet Application. In Proceedings of ACM SIGCOMM, August 2001. Google ScholarDigital Library
R. Stone. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In Proceedings of the USENIX Security Symposium, August 2000. Google ScholarDigital Library
R. Thomas, B. Mark, T. Johnson, and J. Croall. NetBouncer: Client-legitimacy-based High-performance DDoS Filtering. In Proceedings of DISCEX III, pages 14--25, April 2003.Google Scholar
L. von Ahn, M. Blum, N. J. Hopper, and J. Langford. CAPTCHA: Using Hard AI Problems For Security. In Proceedings of EUROCRYPT'03, 2003. Google ScholarDigital Library

Index Terms

Using graphic turing tests to counter automated DDoS attacks against web servers
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks
  1. Network architectures

Recommendations

WebSOS: an overlay-based system for protecting web servers from denial of service attacks
Web security

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-...
Read More
Optimal Placement of Proxies of Replicated Web Servers in the Internet
WISE '00: Proceedings of the First International Conference on Web Information Systems Engineering (WISE'00)-Volume 1 - Volume 1

This paper investigates the issues of placement of limited number of web proxies in the environment where the web server is replicated (i.e., mirrored web servers). Two different objectives are considered: minimizing the overall access cost by all ...
Read More
Request diversion: a novel mechanism to counter P2P based DDoS attacks

P2P-based distributed denial of service (DDoS) attacks represent an emerging threat for today's internet. This type of attacks exploits a design vulnerability of P2P networks in such a way as to drive as many P2P users as possible to download certain ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '03: Proceedings of the 10th ACM conference on Computer and communications security
October 2003
374 pages
ISBN:1581137389
DOI:10.1145/948109
General Chair:
Sushil Jajodia
George Mason University
,
Program Chairs:
Vijay Atluri
Rutgers University
,
Trent Jaeger
IBM Watson
Copyright © 2003 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 October 2003
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Java
graphic turing tests
web proxies
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 98
  Total Citations
  View Citations
- 2,235
  Total Downloads
- Downloads (Last 12 months)9
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Using graphic turing tests to counter automated DDoS attacks against web servers

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

WebSOS: an overlay-based system for protecting web servers from denial of service attacks

Optimal Placement of Proxies of Replicated Web Servers in the Internet

Request diversion: a novel mechanism to counter P2P based DDoS attacks