Mudhakar Srivatsa
Ling Liu
Abstract
Recently, we have seen increasing numbers of denial of service (DoS) attacks against online services and Web applications either for extortion reasons or for impairing and even disabling the competition. These DoS attacks have increasingly targeted the application level. Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as those of legitimate clients, thereby making the attacks much harder to detect and counter. Moreover, such attacks often target bottleneck resources such as disk bandwidth, database bandwidth, and CPU resources. In this article, we propose handling DoS attacks by using a twofold mechanism. First, we perform admission control to limit the number of concurrent clients served by the online service. Admission control is based on port hiding that renders the online service invisible to unauthorized clients by hiding the port number on which the service accepts incoming requests. Second, we perform congestion control on admitted clients to allocate more resources to good clients. Congestion control is achieved by adaptively setting a client's priority level in response to the client's requests in a way that can incorporate application-level semantics. We present a detailed evaluation of the proposed solution using two sample applications: Apache HTTPD and the TPCW benchmark (running on Apache Tomcat and IBM DB2). Our experiments show that the proposed solution incurs low performance overhead and is resilient to DoS attacks.
- Apache. 2004. Apache tomcat servlet/JSP container. http://jakarta.apache.org/tomcat.]]Google Scholar
- Apache. 2005a. Apache HTTP server. http://httpd.apache.org.]]Google Scholar
- Apache. 2005b. Introduction to server side includes. http://httpd.apache.org/docs/howto/ssi.html.]]Google Scholar
- Bernstein, D. J. 2005. SYN cookies. http://cr.yp.to/syncookies.html.]]Google Scholar
- Black, D. RFC 2983: Differentiated services and tunnels. http://www.faqs.org/rfcs/rfc2983.html.]] Google ScholarDigital Library
- Cardellini, V., Casalicchio, E., Colajanni, M., and Mambelli, M. 2002. Enhancing a Web server cluster with quality of service mechanisms. In Proceedings of 21st IEEE International Performance Computing and Communications Conference (IPCCC).]] Google ScholarDigital Library
- CERT. 2004. Incident note IN-2004-01 W32/Novarg.A virus.]]Google Scholar
- Chandra, S., Ellis, C. S., and Vahdat, A. 2000. Application-level differentiated multimedia Web services using quality aware transcoding. In Proc. IEEE (Special Issue on QoS in the Internet).]]Google Scholar
- Cherkasova, L. and Phaal, P. 2002. Session based admission control: A mechanism for Web QoS. In IEEE Trans. Comput.]] Google ScholarDigital Library
- Crosby, S. A. and Wallach, D. S. 2003. Denial of service via algorithmic complexity attacks. In Proceedings of 12th USENIX Security Symposium. 29--44.]] Google ScholarDigital Library
- DARPA. 1981. RFC 793: Transmission control protocol. http://www.faqs.org/rfcs/rfc793.html.]]Google Scholar
- Dierks, T. and Allen, C. RFC 2246: The TLS protocol. http://www.ietf.org/rfc/rfc2246.txt.]]Google Scholar
- Egevang, K. and Francis, P. 1994. RFC 1631: The IP network address translator (NAT). http://www.faqs.org/rfcs/rfc1631.html.]] Google ScholarDigital Library
- Ferguson, R. and Senie, D. 1998. RFC 2267: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. http://www.faqs.org/rfcs/rfc2267.html.]] Google ScholarDigital Library
- FIPS. Data encryption standard (DES). http://www.itl.nist.gov/fipspubs/fip46-2.htm.]]Google Scholar
- FireFox. 2005. Mozilla firefox Web browser. http://www.mozilla.org/products/firefox.]]Google Scholar
- Google. Google mail. http://mail.google.com/.]]Google Scholar
- Google. Google maps. http://maps.google.com/.]]Google Scholar
- Halfbakery. Stateless TCP/IP server. http://www.halfbakery.com/idea/Stateless_20TCP_2fIP_20server.]]Google Scholar
- Harkins, D. and Carrel, D. 1998. RFC 2409: The Internet key exchange (IKE). http://www.faqs.org/rfcs/rfc2409.html.]] Google ScholarDigital Library
- IBM. 2005. DB2 universal database. http://www-306.ibm.com/software/data/db2.]]Google Scholar
- Iyengar, A., Ramaswamy, L., and Schroeder, B. 2005. Web content delivery. In Techniques for Efficiently Serving and Caching Dynamic Web Content, X. Tang, J. Xu, and S. Chanson Ed., Springer.]]Google Scholar
- Juels, A. and Brainard, J. 1999. Client puzzle: A cryptographic defense against connection depletion attacks. In Proceedings of Networks and Distributed Systems Security Symposium (NDSS).]]Google Scholar
- Jung, J., Krishnamurthy, B., and Rabinovich, M. 2002. Flash crowds and denial of service attacks: Characterization and implications for CDNS and Web sites. In Proceedings of 11th World Wide Web Conference (WWW'02).]] Google ScholarDigital Library
- Kandula, S., Katabi, D., Jacob, M., and Berger, A. 2005. Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of 2nd USENIX Symposium on Networked Systems Design and Implementation (NSDI).]] Google ScholarDigital Library
- Kent, S. 1998. RFC 2401: Secure architecture for the Internet protocol. http://www.ietf.org/rfc/rfc2401.txt.]] Google ScholarDigital Library
- Leyden, J. 2003. East European gangs in online protection racket. www.theregister.co.uk/2003/11/12/east-european-gangs-in-online/.]]Google Scholar
- NetFilter. Netfilter/IPTables project homepage. http://www.netfilter.org/.]]Google Scholar
- Netscape. Javascript language specification. http://wp.netscape.com/eng/javascript/.]]Google Scholar
- Nichols, K., Blake, S., Baker, F., and Black, D. RFC 2474: Definition of the differentiated services field (DS field) in the IPv4 and IPv6 headers. http://www.faqs.org/rfcs/rfc2474.html.]] Google ScholarDigital Library
- NIST. AES: Advanced encryption standard. http://csrc.nist.gov/CryptoToolkit/aes/.]]Google Scholar
- OpenSSL. Openssl. http://www.openssl.org/.]]Google Scholar
- PHARM. 2000. Java TPCW implementation distribution. http://www.ece.wisc.edu/~pharm/tpcw.shtml.]]Google Scholar
- Poulsen, K. 2004. FBI busts alleged ddos mafia. www.securityfocus.com/news/9411.]]Google Scholar
- Savage, S., Wetherall, D., Karlin, A., and Anderson, T. 2000. Practical network support for IP traceback. In Proceedings of ACM SIGCOMM.]] Google ScholarDigital Library
- SHA1. 2001. US secure hash algorithm I. http://www.ietf.org/rfc/rfc3174.txt.]]Google Scholar
- Siris, V. A. and Papagalou, F. 2004. Application of anomaly detection algorithms for detecting SYN flooding attacks. In Proceedings of IEEE Global Telecommunications Conference (GLOBECOM).]]Google Scholar
- Srivatsa, M., Iyengar, A., Yin, J., and Liu, L. 2006a. A client-transparent approach to defend against denial of service attacks. In Proceedings of the 25th IEEE Symposium on Reliable Distributed Systems (SRDS).]] Google ScholarDigital Library
- Srivatsa, M., Iyengar, A., Yin, J., and Liu, L. 2006b. A middleware system for protecting against application level denial of service attacks. In Proceedings of the 7th ACM/IFIP/USENIX Middleware Conference.]] Google ScholarDigital Library
- Stoica, I., Shenker, S., and Zhang, H. 1998. Core-stateless fair queuing: A scalable architecture to approximate fair bandwidth allocations in high speed networks. In Proceedings of ACM SIGCOMM.]] Google ScholarDigital Library
- Stubblefield, A. and Dean, D. 2001. Using client puzzles to protect TLS. In Proceedings of the USENIX Security Symposium.]] Google ScholarDigital Library
- TPC. 2000. TPCW: Transactional e-commerce benchmark. http://www.tpc.org/tpcw.]]Google Scholar
- Wang, X. and Reiter, M. K. 2004. Mitigating bandwidth-exhaustion attacks using congestion puzzles. In Proceedings of 11th ACM Computer and Communications Security Conference (CCS).]] Google ScholarDigital Library
- Waters, B., Juels, A., Halderman, A., and Felten, E. W. 2004. New client puzzle outsourcing techniques for DoS resistance. In Proceedings of 11th ACM Computer and Communications Security Conference (CCS).]] Google ScholarDigital Library
- Wei, C. K. 2005. AJAX: Asynchronous Java + XML. http://www.developer.com/design/article.php/3526681.]]Google Scholar
- Xu, J. and Lee, W. 2003. Sustaining availability of Web services under distributed denial of service attacks. In IEEE Trans. Comput. 52, 2, 195--208.]] Google ScholarDigital Library
- Yang, B. and Garcia-Molina, H. 2002. Improving search in peer-to-peer networks. In Proceedings of the IEEE 22nd International Conference on Distributed Computer Systems (ICDCS'03).]] Google ScholarDigital Library
- Yang, X., Wetherall, D., and Anderson, T. 2005. A DoS-limiting network architecture. In Proceedings of ACM SIGCOMM.]] Google ScholarDigital Library
- Yin, H. and Wang, H. 2005. Building an application-aware IPSec policy system. In Proceedings of the USENIX Security Symposium.]] Google ScholarDigital Library
Index Terms
- Mitigating application-level denial of service attacks on Web servers: A client-transparent approach
Recommendations
A Client-Transparent Approach to Defend Against Denial of Service Attacks
SRDS '06: Proceedings of the 25th IEEE Symposium on Reliable Distributed SystemsDenial of Service (DoS) attacks attempt to consume a server's resources (network bandwidth, computing power, main memory, disk bandwidth etc) to near exhaustion so that there are no resources left to handle requests from legitimate clients. An effective ...
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Improvements on the WTLS protocol to avoid denial of service attacks
The current WTLS protocol is closely modeled after the well-studied SSL protocol. However, since some differences exist between these two protocols, even if the SSL protocol is secure, the WTLS protocol may not. We propose three kinds of possible Denial ...
Reviews
Ruay-Shiung Chang
When the response from Google or Yahoo! is slow, you may think, "What a busy day it is!" But the actual truth may be that these Web sites are being attacked using the denial of service (DoS) tactic. A DoS attack is an attempt to make a service unavailable to its intended users. In the real world, a terrorist may attack a place to make it unavailable. In the networked world, the means to carry out and the motives for DoS attacks vary. However, the goal is always the same: to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. This paper proposes an architecture that includes admission-control and congestion-control mechanisms to thwart DoS attacks. Extensive experiments show that this approach has low performance overhead and is resilient to DoS attacks. Preventing DoS attacks is difficult, if not impossible. First of all, it is hard to differentiate between real user traffic and DoS attack traffic. Second, the frontier machine, meant to defend from the DoS attack, is itself under attack; there is nothing to protect it. In this paper, the doorkeeper machine uses a challenge-response strategy to determine if a client is legitimate. To prevent the challenge-response server from being drowned by DoS attack packets, the paper ensures that calculating the response is several orders of magnitude costlier than the challenge. However, it still does not solve the distributed DoS (DDoS) problem. If the response is 1,000 times more difficult than the challenge, perhaps 1,000,000 zombie clients will swamp the challenge server. This paper is quite long (49 pages); therefore, you know it's meticulous. As a result, the reader will learn a lot about DoS. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments