ABSTRACT
The paper studies two types of events that often overload Web sites to a point when their services are degraded or disrupted entirely - flash events (FEs) and denial of service attacks (DoS). The former are created by legitimate requests and the latter contain malicious requests whose goal is to subvert the normal operation of the site. We study the properties of both types of events with a special attention to characteristics that distinguish the two. Identifying these characteristics allows a formulation of a strategy for Web sites to quickly discard malicious requests. We also show that some content distribution networks (CDNs) may not provide the desired level of protection to Web sites against flash events. We therefore propose an enhancement to CDNs that offers better protection and use trace-driven simulations to study the effect of our enhancement on CDNs and Web sites.
- CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoong Attacks. http://www.cert.org/advisories/CA-1996-21.html, Sept. 1996.Google Scholar
- Denial of Service Attacks. http://www.cert.org/tech_tips/denial_of_service.html, 1999. CERT Coordination Center.Google Scholar
- G. Abdulla, E. A. Fox, M. Abrams, and S. Williams. WWW Proxy Trac Characterization with Application to Caching. Technical Report TR-97-03, Computer Science Dept., Virginia Tech, Mar. 1997. Google Scholar
- V. Almeida, D. Menasce, R. Reidi, F. Peligrinelli, R. Fonseca, and W. M. Jr. Analyzing Web Robots and their Impact on Caching. In Proceedings of the 6th Web Caching and Content Delivery Workshop, June 2001.Google Scholar
- M. Arlitt and T. Jin. Workload Characterization of the 1998 World Cup Web Site. HPL-1999-35R1. Google ScholarDigital Library
- M. F. Arlitt and C. L. Williamson. Internet Web servers: workload characterization and performance implications. IEEE/ACM Transactions on Networking, 5(5):631--645, 1997. Google ScholarDigital Library
- P. Barford and M. Crovella. Generating Representative Web Workloads for Network and Server Performance Evaluation. In Measurement and Modeling of Computer Systems, pages 151160, 1998. Google ScholarDigital Library
- P. Barford and D. Plonka. Characteristics of Network Traffic Flow Anomalies. In Proceedings of the ACM SIGCOMM Internet Measurement Workshop, Nov. 2001. Google ScholarDigital Library
- A. Chankhunthod, P. Danzig, C. Neerdaels, M. F. Schwartz, and K. J. Worrell. A Hierarchical Internet Object Cache. In Proceedings of the USENIX 1996 Annual Technical Conference, January 1996. Google ScholarDigital Library
- M. E. Crovella, R. Frangioso, and M. Harchol-Balter. Connection Scheduling in Web Servers. In Proceedings of the USENIX Symposium on Internet Technologies and Systems (USITS'99), Oct. 1999. Google ScholarDigital Library
- F. Douglis, A. Feldmann, B. Krishnamurthy, and J. C. Mogul. Rate of Change and other Metrics: a Live Study of the World Wide Web. In USENIX Symposium on Internet Technologies and Systems, 1997. Google ScholarDigital Library
- S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan, and V. Paxson. Pushback Messages for Controlling Aggregates in the Network. http://search.ietf.org/internet-drafts/draft-floyd-pushback-messages-00.txt.Google Scholar
- K. J. Houle, G. M. Weaver, N. Long, and R. Thomas. Trends in Denial of Service Attack Technology. http://www.cert.org/archive/pdf/DoS_trends.pdf.Google Scholar
- Internet Cache Protocol (ICP), version 2. RFC 2186, Sept. 1997.Google Scholar
- Internet Software Consortium. The Berkeley Internet Name Daemon. http://www.isc.org/products/BIND/.Google Scholar
- A. K. Iyengar, M. S. Squillante, and L. Zhang. Analysis and characterization of large-scale Web server access patterns and performance. World Wide Web, June 1999. Google ScholarDigital Library
- M. B. Jones. Interposition Agents: Transparently Interposing User Code at the System Interface. In Symposium on Operating Systems Principles, pages 80--93, 1993. http://www.research.microsoft.com/~mbj/papers/sosp93.ps. Google ScholarDigital Library
- E. Krell and B. Krishnamurthy. COLA: Customized Overlaying. In Proceedings of the USENIX San Francisco Winter 1992 Conference, pages 3--7, 1992.Google Scholar
- B. Krishnamurthy and M. Arlitt. PRO-COW: Protocol Compliance on the Web, Nov. 1999. Invited plenary session talk at 46th IETF meeting, Washington D.C. http://www.research.att.com/~bala/papers/ietf99.ps. Google ScholarDigital Library
- B. Krishnamurthy and J. Wang. On Network-Aware Clustering of Web Clients. In Proceedings of the ACM SIGCOMM, Aug. 2000. Google ScholarDigital Library
- S. Lorenz. Is your Web site ready for the ash crowd? http://www.serverworldmagazine.com/sunserver/ 2000/11/flash.shtml.Google Scholar
- S. Michel, K. Nguyen, A. Rosenstein, L. Zhang, S. Floyd, and V. Jacobson. Adaptive Web caching: towards a new global caching architecture. Computer Networks And ISDN Systems, 30(22--23):21692177, Nov. 1998. Google ScholarDigital Library
- D. Moore. The Spread of the Code-Red Worm (CRv2). http://www.caida.org/analysis/security/ code-red/coderedv2_analysis.xml, Aug. 2001.Google Scholar
- L. Niven. Flash crowd. In The Flight of the Horse. Ballantine Books, 1971.Google Scholar
- K. Park and H. Lee. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In Proceedings of the ACM SIGCOMM, Aug. 2001. Google ScholarDigital Library
- A. Rousskov and V. Soloviev. A Performance Study of the Squid Proxy on HTTP/1.0. World Wide Web, pages 47--67, June 1999. Google ScholarDigital Library
- B. Trott. Victoria's Secret for Webcasts is IP multicasting, August 1999. http://www.infoworld.com/articles/hn/xml/99/ 08/16/990816hnmentors.xml.Google Scholar
- D. Wessels. Report on the effect of the Independent Council Report on the NLANR Web Caches. http://www.ircache.net/Statistics/ICreport/.Google Scholar
Index Terms
- Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
Recommendations
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics
NSS '09: Proceedings of the 2009 Third International Conference on Network and System SecurityBoth Flash crowds and DDoS (Distributed Denial-of-Service) attacks have very similar properties in terms of internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows, and DDoS attacks have been a serious threat ...
Stealthy Denial of Service (DoS) attack modelling and detection for HTTP/2 services
A malicious attack that can prevent establishment of Internet connections to web servers is termed as a Denial of Service (DoS) attack; volume and intensity of which is rapidly growing thanks to the readily available attack tools and the ever-increasing ...
Comments