Abstract

Distributed denial of service (DDoS) has long been an open security problem of the Internet. Most proposed solutions require the upgrade of routers across the Internet, which is extremely difficult to realize, considering that the Internet consists of a very large number of autonomous systems with routers from different vendors deployed over decades. A promising alternative strategy is to avoid the universal upgrade of router infrastructure and instead rely on an overlay of end systems. The prior anti-DoS overlays were designed to protect emergency services for authorized clients. They assume that trust exists between authorized clients and a private server. Only authenticated traffic can pass through the overlay network to reach the server, while the attack traffic is not admitted without passing the authentication. The follow-up extension of the anti-DoS overlays for web service has other serious limitations. This paper attempts to solve an important problem. How to design an anti-DoS overlay service (called AID) that protects general-purpose public servers while overcoming the limitations of the existing systems? Anyone, including the attackers, should be able to access the server. Authentication can no longer be the means of defense. While both normal and malicious clients are given the access, AID is designed to fend off attack traffic while letting legitimate-traffic through. Its operations are completely transparent to the users (humans or hosts), the client/server software, and the internal/core routers. To connect the AID service nodes (which are end systems), we choose a random overlay network for its rich, unpredictable connectivity, short diameter, and ease of management. We use a distributed virtual-clock packet scheduling algorithm to restrict the amount of data any client can impose on AID. We analyze the properties of the AID service based on probabilistic models. Our simulations demonstrate that AID can effectively protect legitimate-traffic from attack traffic. Even when 10% of all clients attack, just 1.4% of legitimate-traffic is mistakenly blocked, no matter how aggressive the attackers are.

Keywords: Network-level security and protection; Denial of service attacks; Overlay networks

Article Outline

1. Introduction

1.1. Background

1.1.1. Router-based defense

1.1.2. Host-based defense

1.1.3. Overlay-based defense

1.2. Our contributions

2. Motivation

2.1. Self-complete defense systems

2.2. Overlay defense systems

3. A global anti-DoS service

3.1. Overall system architecture

3.1.1. Secure VPN overlay

3.1.2. Operation overview

3.1.3. Handling attacks

3.2. Topology requirements

3.3. Random overlay network

3.4. Constructing tunnel tree from clients to server under attack

3.5. Distributed virtual-clock packet scheduling

3.6. Determining T

4. Discussions

4.1. Attack detection

4.2. Minimizing traffic on overlay

4.3. Implementation

4.4. Robustness of the AID system

5. Analysis

5.1. Convergence time

5.2. Misblocking percentage

5.2.1. Exponential distribution

5.2.2. Normal distribution

5.2.3. Singular distribution

6. Simulation results

6.1. Effectiveness of AID

6.2. Against a large number of attackers

6.3. Impact of β

7. Conclusion

Appendix A. Proofs

Appendix B. Deriving p₃

References

Vitae