ABSTRACT
We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-centric interface, and the extensibility inherent in many browsers through downloadable "applets." We guarantee access to a web server for a large number of previously unknown users, without requiring pre-existing trust relationships between users and the system.Our prototype requires no modifications to either servers or browsers, and makes use of graphical Turing tests, web proxies, and client authentication using the SSL/TLS protocol, all readily supported by modern browsers. We use the WebSOS prototype to conduct a performance evaluation over the Internet using PlanetLab, a testbed for experimentation with network overlays. We determine the end-to-end latency using both a Chord-based approach and our shortcut extension. Our evaluation shows the latency increase by a factor of 7 and 2 respectively, confirming our simulation results.
- D. G. Andersen. Mayday: Distributed Filtering for Internet Services. In 4th USENIX Symposium on Internet Technologies and Systems USITS, March 2003. Google ScholarDigital Library
- L. Amini, H. Schulzrinne, and A. Lazar. Observations from Router-level Internet Traces. In DIMACS Workshop on Internet and WWW Measurement, Mapping and Modeling, February 2002.Google Scholar
- S. M. Bellovin. Distributed Firewalls. login: magazine, special issue on security, pages 37--39, November 1999.Google Scholar
- W. J. Blackert, D. M. Gregg, A. K. Castner, E. M. Kyle, R. L. Hom, and R. M. Jokerst. Analyzing Interaction Between Distributed Denial of Service Attacks and Mitigation Technologies. In Proceedings of DISCEX III, pages 26--36, April 2003.Google ScholarCross Ref
- CCITT. X.509: The Directory Authentication Framework. International Telecommunications Union, Geneva, 1989.Google Scholar
- A. Cohen, S. Rangarajan, and J. H. Slye. On the Performance of TCP Splicing for URL-Aware Redirection. In USENIX Symposium on Internet Technologies and Systems, 1999. Google ScholarDigital Library
- D. Cook. Analysis of Routing Algorithms for Secure Overlay Service. Computer Science Department Technical Report CUCS-010-02, Columbia University, April 2002.Google Scholar
- S. A. Crosby and D. S. Wallach. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 12th USENIX Security Symposium, pages 29--44, August 2003. Google ScholarDigital Library
- D. Dean, M. Franklin, and A. Stubblefield. An Algebraic Approach to IP Traceback. In Proceedings of the Network and Dsitributed System Security Symposium (NDSS), pages 3--12, February 2001.Google Scholar
- S. Dietrich, N. Long, and D. Dittrich. Analyzing Distributed Denial of Service Tools: The Shaft Case. In Proceedings of USENIX LISA XIV, December 2000. Google ScholarDigital Library
- G. Dommety. Key and Sequence Number Extensions to GRE. RFC 2890, September 2000. Google ScholarDigital Library
- D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina. Generic Routing Encapsulation (GRE). RFC 2784, March 2000. Google ScholarDigital Library
- M. T. Goodrich. Efficient Packet Marking forLArg-Scale IP Traceback. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), pages 117--126, November 2002. Google ScholarDigital Library
- L. Heberlein and M. Bishop. Attack Class: Address Spoofing. In Proceedings of the 19th National Information Systems Security Conference, pages 371--377, October 1996.Google Scholar
- J. Ioannidis and S. M. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2002.Google Scholar
- S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith. Implementing a Distributed Firewall. In Proceedings of Computer and Communications Security (CCS), pages 190--199, November 2000. Google ScholarDigital Library
- D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, and D. Lewin. Consistent Hashing and Random Trees: Distributed Caching Protocols for Relievig Hot Spots on the World Wide Web. In Proceedings of ACM Symposium on Theory of Computing (STOC), pages 654--663, May 1997. Google ScholarDigital Library
- F. Kargl, J. Maier, and M. Weber. Protecting web servers from distributed denial of service attacks. In World Wide Web, pages 514--524, 2001. Google ScholarDigital Library
- S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, Nov. 1998. Google ScholarDigital Library
- A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proceedings of ACM SIGCOMM, pages 61--72, August 2002. Google ScholarDigital Library
- A. D. Keromytis, J. Parekh, P. N. Gross, G. Kaiser, V. Misra, J. Nieh, D. Rubenstein, and S. Stolfo. A Holistic Approach to Service Survivability. In Proceedings of the ACM Survivable and Self-Regenerative Systems Workshop, October 2003. Google ScholarDigital Library
- S. Miltchev, S. Ioannidis, and A. D. Keromytis. A Study of the Relative Costs of Network Security Protocols. In Proceedings of USENIX Annual Technical Conference, Freenix Track), pages 41--48, June 2002. Google ScholarDigital Library
- D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22, August 2001. Google ScholarDigital Library
- G. Mori and J. Malik. Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA. In Computer Vision and Pattern Recognition CVPR'03, June 2003. Google ScholarDigital Library
- C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govindan. COSSACK: Coordinated Suppression of Simultaneous Attacks. In Proceedings of DISCEX III, pages 2--13, April 2003.Google Scholar
- K. Park and H. Lee. On the Effectiveness of Route-based PAcket Filtering for Distributed DoS Attack Prevention in Power-law Internets. In Proceedings of ACM SIGCOMM, pages 15--26, August 2001. Google ScholarDigital Library
- L. Peterson, D. Culler, T. Anderson, and T. Roscoe. A Blueprint for Introducing Disruptive Technology into the Internet. In Proceedings of the 1st Workshop on Hot Topics in Networks (HotNets-I), October 2002.Google Scholar
- S. Ratnasamy, P. Francis, M. Handley, R. Karp, and S. Shenker. A Scalable Content-Addressable Network. In Proceedings of ACM SIGCOMM, August 2001. Google ScholarDigital Library
- P. Reiher, J. Mirkovic, and G. Prier. Attacking DDoS at the source. In Proceedings of the 10th IEEE International Conference on Network Protocols, November 2002. Google ScholarDigital Library
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. In Proceedings of the 2000 ACM SIGCOMM Conference, pages 295--306, August 2000. Google ScholarDigital Library
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Network Support for IP Traceback. ACM/IEEE Transactions on Networking, 9(3):226--237, June 2001. Google ScholarDigital Library
- C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, and D. Zamboni. Analysis of a Denial of Service Attack on TCP. In IEEE Security and Privacy Conference, pages 208--223, May 1997. Google ScholarDigital Library
- A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer. Hash-Based IP Traceback. In Proceedings of ACM SIGCOMM, August 2001. Google ScholarDigital Library
- I. Stoica, R. Morris, D. Karger, F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service for Internet Application. In Proceedings of ACM SIGCOMM, August 2001. Google ScholarDigital Library
- R. Stone. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In Proceedings of the USENIX Security Symposium, August 2000. Google ScholarDigital Library
- R. Thomas, B. Mark, T. Johnson, and J. Croall. NetBouncer: Client-legitimacy-based High-performance DDoS Filtering. In Proceedings of DISCEX III, pages 14--25, April 2003.Google Scholar
- L. von Ahn, M. Blum, N. J. Hopper, and J. Langford. CAPTCHA: Using Hard AI Problems For Security. In Proceedings of EUROCRYPT'03, 2003. Google ScholarDigital Library
Index Terms
- Using graphic turing tests to counter automated DDoS attacks against web servers
Recommendations
WebSOS: an overlay-based system for protecting web servers from denial of service attacks
Web securityWe present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-...
Optimal Placement of Proxies of Replicated Web Servers in the Internet
WISE '00: Proceedings of the First International Conference on Web Information Systems Engineering (WISE'00)-Volume 1 - Volume 1This paper investigates the issues of placement of limited number of web proxies in the environment where the web server is replicated (i.e., mirrored web servers). Two different objectives are considered: minimizing the overall access cost by all ...
Request diversion: a novel mechanism to counter P2P based DDoS attacks
P2P-based distributed denial of service (DDoS) attacks represent an emerging threat for today's internet. This type of attacks exploits a design vulnerability of P2P networks in such a way as to drive as many P2P users as possible to download certain ...
Comments