|
 ABSTRACT
It is widely recognized that distributed denial-of-service (DDoS) attacks can disrupt electronic commerce and cause large revenue losses. However, effective defenses continue to be mostly unavailable. We describe and evaluate VIPnet, a novel value-added network service for protecting e-commerce and other transaction-based sites from DDoS attacks. In VIPnet, e-merchants pay Internet Service Providers (ISPs) to carry the packets of the e-merchants' best clients (called VIPs) in a privileged class of service (CoS), protected from congestion, whether malicious or not, in the regular CoS. VIPnet rewards VIPs with not only better quality of service, but also greater availability. Because VIP rights are client- and server-specific, cannot be forged, are usage-limited, and are only replenished after successful client transactions (e.g., purchases), it is impractical for attackers to mount and sustain DDoS attacks against an e-merchant's VIPs. VIPnet can be deployed incrementally and does not require universal adoption. Experiments demonstrate VIPnet's benefits.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang and W. Weiss. "An Architecture for Differentiated Services," IETF, RFC 2475, Dec. 1998.
|
| |
2
|
R. Braden, D. Clark, S. Shenker. "Integrated Services in the Internet Architecture: an Overview," IETF, RFC 1633, June 1994.
|
| |
3
|
J.~Bruno, J. Brustoloni, E. Gabber, B. Özden, and A. Silberschatz. "Retrofitting Quality of Service into a Time-Sharing Operating System," in Proc. Annual Tech. Conf., USENIX, June 1999, pp. 15--26. Software available at http://www.bell-labs.com/project/eclipse/release/.
|
| |
4
|
J. Brustoloni, E. Gabber, A. Silberschatz, and A. Singh. "Signaled Receiver Processing," in Proc. Annual Tech. Conf., USENIX, June 2000, pp. 211--223. Patch available at http://www.bell-labs.com/project/eclipse/release/.
|
| |
5
|
Echo+Chargen CERT. "CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attack," CERT/CC, available at http://www.cert.org/advisories/CA-1996-01.html.
|
| |
6
|
TCP-SYN CERT. "CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks," CERT/CC, available at http://www.cert.org/advisories/CA-1996-21.html.
|
| |
7
|
PingOfDeath CERT. "CERT Advisory CA-1996-26 Denial-of-Service Attack via ping," CERT/CC, available at http://www.cert.org/advisories/CA-1996-26.html.
|
| |
8
|
Teardrop+Land CERT. "CERT Advisory CA-1997-28 IP Denial-of-Service Attacks," CERT/CC, available at http://www.cert.org/advisories/CA-1997-28.html.
|
| |
9
|
Smurf CERT. "CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks," CERT/CC, available at http://www.cert.org/advisories/CA-1998-01.html.
|
| |
10
|
TFN2K CERT. "CERT Advisory CA-1999-17 Denial-of-Service Tools," CERT/CC, available at http://www.cert.org/advisories/CA-1999-17.html.
|
| |
11
|
Mstream CERT. "CERT Incident Note IN-2000-05," CERT/CC, available at http://www.cert.org/incident_notes/IN-2000-05.html.
|
| |
12
|
Security-Recommend CERT. "CERT Security Improvement Modules," CERT/CC, available at www.cert.org/security-improvement/.
|
| |
13
|
ALTQK. Cho. "Managing Traffic with ALTQ," in Proc. FREENIX Annual Tech. Conf., USENIX, June 1999, pp. 121--128. Software available at http://www.csl.sony.co.jp/person/kjc/kjc/software.html.
|
| |
14
|
InputLogging Cisco. "Characterizing and Tracing Packet Floods Using Cisco Routers," Cisco, available at http://www.cisco.com/warp/public/707/22.html.
|
| |
15
|
FBI Computer Security Institute and Federal Bureau of Investigation. "CSI/FBI Computer Crime and Security Survey 2001," CSI, Mar. 2001, available at http://www.gocsi.com/.
|
| |
16
|
DDoS-Recommend J. David et al. "Results of the Distributed-Systems Intruder Tools Workshop," CERT/CC, Pittsburgh, PA, Nov. 1999, available at http://www.cert.org/reports/dsit_workshop.pdf.
|
| |
17
|
TLS T. Dierks and C. Allen. "The TLS Protocol Version 1.0," IETF, RFC 2246, Jan. 1999.
|
| |
18
|
D. Dittrich. "The "stacheldraht" Distributed Denial of Service Attack Tool," available at http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.
|
| |
19
|
P. Ferguson and D. Senie. "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing," IETF, RFC 2827 (also BCP 0038), May 2000.
|
| |
20
|
C. Huegen. "The Latest in Denial of Service Attacks: "Smurfing" Description and Information to Minimize Effects," available at http://www.pentics.net/denial-of-service/white-papers/smurf.cgi.
|
| |
21
|
|
| |
22
|
|
| |
23
|
D. Moore, G. Voelker and S. Savage. "Inferring Internet Denial-of-Service Activity," to appear in Proc. Security Symp., USENIX, Aug. 2001.
|
 |
24
|
|
| |
25
|
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
|
| |
26
|
SecurID. Homepage at http://www.rsasecurity.com/products/securid/.
|
| |
27
|
D. Senie. "Changing the Default for Directed Broadcasts in Routers," IETF, RFC 2644 (also BCP 0034), August 1999.
|
| |
28
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
C.2