ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
DDoS-shield: DDoS-resilient scheduling to counter application layer attacks
Full text PdfPdf (761 KB)
Source IEEE/ACM Transactions on Networking (TON) archive
Volume 17 ,  Issue 1  (February 2009) table of contents
Pages 26-39  
Year of Publication: 2009
ISSN:1063-6692
Authors
Supranamaya Ranjan  Narus Inc., Mountain View, CA and Department of Electrical and Computer Engineering, Rice University, Houston, TX
Ram Swaminathan  HP Laboratories, Palo Alto, CA
Mustafa Uysal  HP Laboratories, Palo Alto, CA
Antonio Nucci  Narus Inc., Mountain View, CA
Edward Knightly  Department of Electrical and Computer Engineering, Rice University, Houston, TX
Publisher
IEEE Press  Piscataway, NJ, USA
Bibliometrics
Downloads (6 Weeks): 41,   Downloads (12 Months): 257,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: 10.1109/TNET.2008.926503

ABSTRACT

Countering distributed denial of service (DDoS) attacks is becoming ever more challenging with the vast resources and techniques increasingly available to attackers. In this paper, we consider sophisticated attacks that are protocol-compliant, non-intrusive, and utilize legitimate application-layer requests to overwhelm system resources. We characterize application-layer resource attacks as either request flooding, asymmetric, or repeated one-shot, on the basis of the application workload parameters that they exploit. To protect servers from these attacks, we propose a counter-mechanism namely DDoS Shield that consists of a suspicion assignment mechanism and a DDoS-resilient scheduler. In contrast to prior work, our suspicion mechanism assigns a continuous value as opposed to a binary measure to each client session, and the scheduler utilizes these values to determine if and when to schedule a session's requests. Using testbed experiments on a web application, we demonstrate the potency of these resource attacks and evaluate the efficacy of our counter-mechanism. For instance, we mount an asymmetric attack which overwhelms the server resources, increasing the response time of legitimate clients from 0.3 seconds to 40 seconds. Under the same attack scenario, DDoS Shield improves the victims' performance to 1.5 seconds.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, "DDoS-resilient scheduling to counter application layer attacks under imperfect detection," presented at the IEEE INFOCOM, Barcelona, Spain, Apr. 2006.
 
2
S. Ranjan, "High performance DDoS-resilient web cluster architecture" Ph.D. Dissertation, Rice Univ., Houston, TX, Oct. 2005 [Online]. Available: http://www.ece.rice.edu/-sranjan
 
3
Cyber Security: A Crisis of Prioritization. P.I.T.A. Committee [Online]. Available: www.hpcc.gov/pitac/reports/20050301-Cybersecurity/cybersecurity.pdf
 
4
Know Your Enemy: Tracking Botnets. Honeynet Project and Research Alliance [Online]. Available: http://www.honeynet.org
 
5
United States Vs Jay Echouafni et al. (Operation Cyber-slam) U.S. Dept. Justice [Online]. Available: www.usdoj.gov/criminal/fraud/docs/ reports/2004/websnare.pdf
 
6
S. Ranjan, R. Karrer, and E. Knightly, "Wide area redirection of dynamic content in Internet data centers," presented at the IEEE INFOCOM, Hong Kong, 2004.
 
7
TPC-W benchmark. Transaction Processing Council [Online]. Available: http://www.tpc.org
 
8
Akamai. [Online]. Available: http://www.akamai.com
 
9
S. Ranjan, J. Rolia, H. Fu, and E. Knightly, "QoS-driven server migration for Internet data centers," presented at the IWQoS, Miami Beach, FL, 2002.
 
10
Mohit Aron , Darren Sanders , Peter Druschel , Willy Zwaenepoel, Scalable content-aware request distribution in cluster-based networks servers, Proceedings of the annual conference on USENIX Annual Technical Conference, p.26-26, June 18-23, 2000, San Diego, California
 
11
Cristiana Amza , Alan L. Cox , Willy Zwaenepoel, Conflict-aware scheduling for dynamic content applications, Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems, p.6-6, March 26-28, 2003, Seattle, WA
 
12
Nina Bhatti , Anna Bouch , Allan Kuchinsky, Integrating user-perceived quality into Web server design, Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking, p.1-16, June 2000, Amsterdam, The Netherlands
 
13
T. Calinski and J. Harabasz, "A dendrite method for cluster analysis," Communications in Statistics, vol. 3, pp. 1-27, 1974.
 
14
G. W. Milligan and M. C. Cooper, "An examination of procedures for determining the number of clusters in a data set," Pyschometrika, vol. 50, pp. 159-179, 1985.
 
15
Thomas M. Cover , Joy A. Thomas, Elements of information theory, Wiley-Interscience, New York, NY, 1991
 
16
I. Csiszar, "The method of types," IEEE Trans. Inf. Theory, vol. 44, pp. 2505-2523, 1998.
 
17
Srikanth Kandula , Dina Katabi , Matthias Jacob , Arthur Berger, Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds, Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation, p.287-300, May 02-04, 2005
 
18
Y. Kim, W. C. Lau, M. C. Chuah, and H. J. Chao, "PacketScore: Statistics-based overload control against distributed denial-of-service attacks," presented at the IEEE INFOCOM, Hong Kong, 2004.
 
19
Mazu Profiler. [Online]. Available: http://www.mazunetworks.com
 
20
Naruslnsight Secure Suite. [Online]. Available: http://www.narus.com
 
21
L. Ricciulli, P. Lincoln, and P. Kakkar, "TCP SYN flooding defense," presented at the CNDS, San Francisco, CA, 1999.
 
22
A. Hussain, J. Heidemann, and C. Papadopoulos, "Identification of repeated denial of service attacks," presented at the IEEE INFOCOM, Barcelona, Spain, 2006.
23
Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Profiling internet backbone traffic: behavior models and applications, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
24
Anukool Lakhina , Mark Crovella , Christophe Diot, Mining anomalies using traffic feature distributions, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
 
25
Open Source Network Intrusion Detection System. [Online]. Available: http://www.snort.org
 
26
Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999  [doi>10.1016/S1389-1286(99)00112-7]
27
Jaeyeon Jung , Balachander Krishnamurthy , Michael Rabinovich, Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511485]
 
28
J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," presented at the IEEE Symp. Security and Privacy, Oakland, CA, May 2004.
 
29
A. Wald, Sequential Analysis. New York: Wiley, 1947.
 
30
G. Mori and J. Malik, "Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA," IEEE Comput. Vision Pattern Recognit., vol. 1, pp. 134-141, 2003.
 
31
A. Garg and A. L. N. Reddy, "Mitigating denial of service attacks using QoS regulation," presented at the IWQoS, Miami Beach, FL, May 2002.
32
Frank Kargl , Joern Maier , Michael Weber, Protecting web servers from distributed denial of service attacks, Proceedings of the 10th international conference on World Wide Web, p.514-524, May 01-05, 2001, Hong Kong, Hong Kong  [doi>10.1145/371920.372148]
 
33
Katerina Argyraki , David R. Cheriton, Active internet traffic filtering: real-time response to denial-of-service attacks, Proceedings of the annual conference on USENIX Annual Technical Conference, p.10-10, April 10-15, 2005, Anaheim, CA
 
34
T. Anderson, T. Roscoe, and D. Wetherall, "Preventing Internet denial-of-service with capabilities," presented at the 2nd Workshop on Hot Topics in Networks (HotNets-II), Cambridge, MA, Nov. 2003.
35
Michael Walfish , Mythili Vutukuru , Hari Balakrishnan , David Karger , Scott Shenker, DDoS defense by offense, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.2 Network Protocols
          Subjects: Applications (SMTP, FTP, etc.)
      C.2.3 Network Operations
          Subjects: Network monitoring
  C.4 PERFORMANCE OF SYSTEMS
      Subjects: Performance attributes

  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.1 Systems and Information Theory
          Subjects: Information theory


General Terms:
Design, Management, Performance, Security


Keywords:
anomaly detection, application layer attacks, denial-of-service attacks, information entropy, site security monitoring

Collaborative Colleagues:
Supranamaya Ranjan: colleagues
Ram Swaminathan: colleagues
Mustafa Uysal: colleagues
Antonio Nucci: colleagues
Edward Knightly: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player