ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Using graphic turing tests to counter automated DDoS attacks against web servers
Full text PdfPdf (257 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 10th ACM conference on Computer and communications security table of contents
Washington D.C., USA
SESSION: DOS protection table of contents
Pages: 8 - 19  
Year of Publication: 2003
ISBN:1-58113-738-9
Authors
William G. Morein  Columbia University in the City of New York
Angelos Stavrou  Columbia University in the City of New York
Debra L. Cook  Columbia University in the City of New York
Angelos D. Keromytis  Columbia University in the City of New York
Vishal Misra  Columbia University in the City of New York
Dan Rubenstein  Columbia University in the City of New York
Sponsor
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 17,   Downloads (12 Months): 113,   Citation Count: 12
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/948109.948114
What is a DOI?

ABSTRACT

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-centric interface, and the extensibility inherent in many browsers through downloadable "applets." We guarantee access to a web server for a large number of previously unknown users, without requiring pre-existing trust relationships between users and the system.Our prototype requires no modifications to either servers or browsers, and makes use of graphical Turing tests, web proxies, and client authentication using the SSL/TLS protocol, all readily supported by modern browsers. We use the WebSOS prototype to conduct a performance evaluation over the Internet using PlanetLab, a testbed for experimentation with network overlays. We determine the end-to-end latency using both a Chord-based approach and our shortcut extension. Our evaluation shows the latency increase by a factor of 7 and 2 respectively, confirming our simulation results.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
D. G. Andersen. Mayday: Distributed Filtering for Internet Services. In 4th USENIX Symposium on Internet Technologies and Systems USITS, March 2003.
 
2
L. Amini, H. Schulzrinne, and A. Lazar. Observations from Router-level Internet Traces. In DIMACS Workshop on Internet and WWW Measurement, Mapping and Modeling, February 2002.
 
3
S. M. Bellovin. Distributed Firewalls. login: magazine, special issue on security, pages 37--39, November 1999.
 
4
W. J. Blackert, D. M. Gregg, A. K. Castner, E. M. Kyle, R. L. Hom, and R. M. Jokerst. Analyzing Interaction Between Distributed Denial of Service Attacks and Mitigation Technologies. In Proceedings of DISCEX III, pages 26--36, April 2003.
 
5
CCITT. X.509: The Directory Authentication Framework. International Telecommunications Union, Geneva, 1989.
 
6
A. Cohen, S. Rangarajan, and J. H. Slye. On the Performance of TCP Splicing for URL-Aware Redirection. In USENIX Symposium on Internet Technologies and Systems, 1999.
 
7
D. Cook. Analysis of Routing Algorithms for Secure Overlay Service. Computer Science Department Technical Report CUCS-010-02, Columbia University, April 2002.
 
8
S. A. Crosby and D. S. Wallach. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 12th USENIX Security Symposium, pages 29--44, August 2003.
 
9
D. Dean, M. Franklin, and A. Stubblefield. An Algebraic Approach to IP Traceback. In Proceedings of the Network and Dsitributed System Security Symposium (NDSS), pages 3--12, February 2001.
 
10
Sven Dietrich , Neil Long , David Dittrich, Analyzing Distributed Denial of Service Tools: The Shaft Case, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
 
11
G. Dommety. Key and Sequence Number Extensions to GRE. RFC 2890, September 2000.
 
12
D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina. Generic Routing Encapsulation (GRE). RFC 2784, March 2000.
13
Michael T. Goodrich, Efficient packet marking for large-scale IP traceback, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586128]
 
14
L. Heberlein and M. Bishop. Attack Class: Address Spoofing. In Proceedings of the 19th National Information Systems Security Conference, pages 371--377, October 1996.
 
15
J. Ioannidis and S. M. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2002.
16
Sotiris Ioannidis , Angelos D. Keromytis , Steve M. Bellovin , Jonathan M. Smith, Implementing a distributed firewall, Proceedings of the 7th ACM conference on Computer and communications security, p.190-199, November 01-04, 2000, Athens, Greece  [doi>10.1145/352600.353052]
17
David Karger , Eric Lehman , Tom Leighton , Rina Panigrahy , Matthew Levine , Daniel Lewin, Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the World Wide Web, Proceedings of the twenty-ninth annual ACM symposium on Theory of computing, p.654-663, May 04-06, 1997, El Paso, Texas, United States  [doi>10.1145/258533.258660]
18
Frank Kargl , Joern Maier , Michael Weber, Protecting web servers from distributed denial of service attacks, Proceedings of the 10th international conference on World Wide Web, p.514-524, May 01-05, 2001, Hong Kong, Hong Kong  [doi>10.1145/371920.372148]
 
19
S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, Nov. 1998.
20
Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, SOS: secure overlay services, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
21
Angelos D. Keromytis , Janak Parekh , Philip N. Gross , Gail Kaiser , Vishal Misra , Jason Nieh , Dan Rubenstein , Sal Stolfo, A holistic approach to service survivability, Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security, p.11-22, October 31-31, 2003, Fairfax, VA  [doi>10.1145/1036921.1036923]
 
22
Stefan Miltchev , Sotiris Ioannidis , Angelos D. Keromytis, A Study of the Relative Costs of Network Security Protocols, Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference, p.41-48, June 10-15, 2002
 
23
D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22, August 2001.
 
24
G. Mori and J. Malik. Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA. In Computer Vision and Pattern Recognition CVPR'03, June 2003.
 
25
C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govindan. COSSACK: Coordinated Suppression of Simultaneous Attacks. In Proceedings of DISCEX III, pages 2--13, April 2003.
26
Kihong Park , Heejo Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.15-26, August 2001, San Diego, California, United States
 
27
L. Peterson, D. Culler, T. Anderson, and T. Roscoe. A Blueprint for Introducing Disruptive Technology into the Internet. In Proceedings of the 1st Workshop on Hot Topics in Networks (HotNets-I), October 2002.
28
Sylvia Ratnasamy , Paul Francis , Mark Handley , Richard Karp , Scott Schenker, A scalable content-addressable network, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.161-172, August 2001, San Diego, California, United States
 
29
Jelena Mirkovic , Gregory Prier , Peter L. Reiher, Attacking DDoS at the Source, Proceedings of the 10th IEEE International Conference on Network Protocols, p.312-321, November 12-15, 2002
30
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
 
31
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Network support for IP traceback, IEEE/ACM Transactions on Networking (TON), v.9 n.3, p.226-237, June 2001  [doi>10.1109/90.929847]
 
32
Christoph L. Schuba , Ivan V. Krsul , Markus G. Kuhn , Eugene H. spafford , Aurobindo Sundaram , Diego Zamboni, Analysis of a Denial of Service Attack on TCP, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.208, May 04-07, 1997
33
Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
34
Ion Stoica , Robert Morris , David Karger , M. Frans Kaashoek , Hari Balakrishnan, Chord: A scalable peer-to-peer lookup service for internet applications, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.149-160, August 2001, San Diego, California, United States
 
35
R. Stone. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In Proceedings of the USENIX Security Symposium, August 2000.
 
36
R. Thomas, B. Mark, T. Johnson, and J. Croall. NetBouncer: Client-legitimacy-based High-performance DDoS Filtering. In Proceedings of DISCEX III, pages 14--25, April 2003.
 
37
L. von Ahn, M. Blum, N. J. Hopper, and J. Langford. CAPTCHA: Using Hard AI Problems For Security. In Proceedings of EUROCRYPT'03, 2003.

CITED BY  12
XiaoFeng Wang , Michael K. Reiter, Mitigating bandwidth-exhaustion attacks using congestion puzzles, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
Ritendra Datta , Jia Li , James Z. Wang, IMAGINATION: a robust image-based CAPTCHA generation system, Proceedings of the 13th annual ACM international conference on Multimedia, November 06-11, 2005, Hilton, Singapore
Angelos Stavrou , Debra L. Cook , William G. Morein , Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, WebSOS: an overlay-based system for protecting web servers from denial of service attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.781-807, 5 August 2005
Angelos Stavrou , Angelos D. Keromytis, Countering DoS attacks with stateless multipath overlays, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
Bin Xiao , Wei Chen , Yanxiang He, A novel approach to detecting DDoS Attacks at an Early Stage, The Journal of Supercomputing, v.36 n.3, p.235-248, June 2006
Erol Gelenbe , George Loukas, A self-aware approach to denial of service defence, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1299-1314, April, 2007
Michael Walfish , Mythili Vutukuru , Hari Balakrishnan , David Karger , Scott Shenker, DDoS defense by offense, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
Leiwen Deng , Yan Gao , Yan Chen , Aleksandar Kuzmanovic, Pollution attacks and defenses for Internet caching systems, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.5, p.935-956, April, 2008
Shigang Chen , Yibei Ling , Randy Chow , Ye Xia, AID: A global anti-DoS service, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.15, p.4252-4269, October, 2007
Gal Badishi , Amir Herzberg , Idit Keidar, Keeping Denial-of-Service Attackers in the Dark, IEEE Transactions on Dependable and Secure Computing, v.4 n.3, p.191-204, July 2007
Chwan Hwa John Wu , Tong Liu, Simulation for intrusion-resilient, DDoS-resistant authentication system (IDAS), Proceedings of the 2008 Spring simulation multiconference, April 14-17, 2008, Ottawa, Canada
Matthias Baumgart , Christian Scheideler , Stefan Schmid, A DoS-resilient information system for dynamic data management, Proceedings of the twenty-first annual symposium on Parallelism in algorithms and architectures, August 11-13, 2009, Calgary, AB, Canada

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.1 Network Architecture and Design


General Terms:
Reliability, Security


Keywords:
Java, graphic turing tests, web proxies

Collaborative Colleagues:
William G. Morein: colleagues
Angelos Stavrou: colleagues
Debra L. Cook: colleagues
Angelos D. Keromytis: colleagues
Vishal Misra: colleagues
Dan Rubenstein: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player