Abstract
This paper presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth and will react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidth. This result makes the defense viable and effective for a class of real attacks.
- M. Abadi, M. Burrows, M. Manasse, and T. Wobber. Moderately hard, memory-bound functions. In NDSS, 2003.]]Google Scholar
- S. Agarwal, T. Dawson, and C. Tryfonas. DDoS mitigation via regional cleaning centers. Sprint ATL Research Report RR04-ATL-013177, Aug. 2003.]]Google Scholar
- D. G. Andersen et al. System support for bandwidth management and content adaptation in Internet applications. In OSDI, Sept. 2000.]] Google ScholarDigital Library
- T. Anderson, T. Roscoe, and D. Wetherall. Preventing Internet denial-of-service with capabilities. In HotNets, Nov. 2003.]]Google Scholar
- Arbor Networks, Inc. http://www.arbornetworks.com.]]Google Scholar
- T. Aura, P. Nikander, and J. Leiwo. DoS-resistant authentication with client puzzles. In Intl. Wkshp. on Security Prots., 2000.]] Google ScholarDigital Library
- A. Back. Hashcash. http://www.cypherspace.org/adam/hashcash/.]]Google Scholar
- G. Banga, P. Druschel, and J. C. Mogul. Resource containers: A new facility for resource management in server systems. In OSDI, Feb. 1999.]] Google ScholarDigital Library
- Cisco Guard, Cisco Systems, Inc. http://www.cisco.com.]]Google Scholar
- Criminal Complaint: USA v. Ashley, Hall, Schictel, Roby, and Walker, Aug. 2004. http://www.reverse.net/operationcyberslam.pdf.]]Google Scholar
- C. Dwork, A. Goldberg, and M. Naor. On memory-bound functions for fighting spam. In CRYPTO, 2003.]]Google ScholarCross Ref
- C. Dwork and M. Naor. Pricing via processing or combatting junk mail. In CRYPTO, 1992.]] Google ScholarDigital Library
- Emulab. http://www.emulab.net.]]Google Scholar
- N. Feamster, J. Jung, and H. Balakrishnan. An empirical study of "bogon" route advertisements. CCR, 35(1), Jan. 2005.]] Google ScholarDigital Library
- C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and C. Diot. Packet-level traffic measurements from the Sprint IP backbone. IEEE Network, 17(6), 2003.]]Google ScholarDigital Library
- V. D. Gligor. Guaranteeing access in spite of distributed service-flooding attacks. In Intl. Wkshp. on Security Prots., 2003.]]Google Scholar
- C. A. Gunter, S. Khanna, K. Tan, and S. Venkatesth. DoS protection for reliably authenticated broadcast. In NDSS, 2004.]]Google Scholar
- M. Handley. Internet architecture WG: DoS-resistant Internet subgroup report, 2005. http://www.communicationsresearch.net/dos-resistant/meeting-1/cii-dos-summary.pdf.]]Google Scholar
- Honeynet Project and Research Alliance. Know your enemy: Tracking botnets. Mar. 2005. http://www.honeynet.org/papers/bots/.]]Google Scholar
- A. Juels and J. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In NDSS, 1999.]]Google Scholar
- S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In USENIX NSDI, May 2005.]] Google ScholarDigital Library
- E. Kohler, M. Handley, and S. Floyd. Designing DCCP: Congestion control without reliability. In SIGCOMM,Sept. 2006.]] Google ScholarDigital Library
- M. Krohn. Building secure high-performance Web services with OKWS. In USENIX Technical Conference, June 2004.]] Google ScholarDigital Library
- B. Laurie and R. Clayton. "Proof-of-Work" proves not to work; version 0.2, Sept. 2004. http://www.cl.cam.ac.uk/users/rnc1/proofwork2.pdf.]]Google Scholar
- D. Mankins, R. Krishnan, C. Boyd, J. Zao, and M. Frentz. Mitigating distributed denial of service attacks with dynamic resource pricing. In Proc. IEEE ACSAC, Dec. 2001.]] Google ScholarDigital Library
- D. Mazières. A toolkit for user-level file systems. In USENIX Technical Conference, June 2001.]] Google ScholarDigital Library
- Mazu Networks, Inc. http://mazunetworks.com.]]Google Scholar
- J. Mirkovic and P. Reiher. A taxonomy of DDoS attacks and DDoS defense mechanisms. CCR, 34(2), Apr. 2004.]] Google ScholarDigital Library
- W. Morein, A. Stavrou, D. Cook, A. Keromytis, V. Mishra, and D. Rubenstein. Using graphic turing tests to counter automated DDoS attacks against Web servers. In ACM CCS, Oct. 2003.]] Google ScholarDigital Library
- Network World. Extortion via DDoS on the rise. May 2005. http://www.networkworld.com/news/2005/051605-ddos-extortion.html.]]Google Scholar
- K. Park, V. S. Pai, K.-W. Lee, and S. Calo. Securing Web service by automatic robot detection. In USENIX Technical Conference, June 2006.]] Google ScholarDigital Library
- Pittsburgh Post-Gazette. CMU student taps brain's game skills. Oct. 5, 2003. http://www.post-gazette.com/pg/03278/228349.stm.]]Google Scholar
- Prolexic Technologies, Inc. http://www.prolexic.com.]]Google Scholar
- A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In SIGCOMM, Sept. 2006.]] Google ScholarDigital Library
- V. Ramasubramanian and E. G. Sirer. The design and implementation of a next generation name service for the Internet. In SIGCOMM, Aug. 2004.]] Google ScholarDigital Library
- E. Ratliff. The zombie hunters. The New Yorker, Oct. 10, 2005.]]Google Scholar
- SecurityFocus. FBI busts alleged DDoS mafia. Aug. 2004. http://www.securityfocus.com/news/9411.]]Google Scholar
- V. Sekar, N. Duffield, O. Spatscheck, J. van der Merwe, and H. Zhang. LADS: Large-scale automated DDoS detection system. In USENIX Technical Conference, June 2006.]] Google ScholarDigital Library
- M. Sherr, M. Greenwald, C. A. Gunter, S. Khanna, and S. S. Venkatesh. Mitigating DoS attack through selective bin verification. In 1st Wkshp. on Secure Netwk. Protcls., Nov. 2005.]] Google ScholarDigital Library
- K. K. Singh. Botnets-An introduction, 2006. http://www-static.cc.gatech.edu/classes/AY2006/cs6262_spring/botnets.ppt.]]Google Scholar
- Spammer-X. Inside the SPAM Cartel. Syngress, 2004. Page 40.]]Google ScholarDigital Library
- Stupid Google virus/spyware CAPTCHA page. http://www.spy.org.uk/spyblog/2005/06/stupid google_virusspyware_cap.html.]]Google Scholar
- TechWeb News. Dutch botnet bigger than expected. Oct. 2005. http://informationweek.com/story/showArticle.jhtml?articleID=172303265.]]Google Scholar
- The Register. East European gangs in online protection racket. Nov. 2003.]]Google Scholar
- D. Thomas. Deterrence must be the key to avoiding DDoS attacks, 2005. http://www.vnunet.com/computing/analysis/2137395/deterrence-key-avoiding-ddos-attacks.]]Google Scholar
- R. Vasudevan, Z. M. Mao, O. Spatscheck, and J. van der Merwe. Reval: A tool for real-time evaluation of DDoS mitigation strategies. In USENIX Technical Conference, June 2006.]] Google ScholarDigital Library
- L. von Ahn, M. Blum, and J. Langford. Telling humans and computers apart automatically. CACM, 47(2), Feb. 2004.]] Google ScholarDigital Library
- M. Walfish, H. Balakrishnan, D. Karger, and S. Shenker. DoS: Fighting fire with fire. In HotNets, Nov. 2005.]]Google Scholar
- X. Wang and M. Reiter. Defending against denial-of-service attacks with puzzle auctions. In IEEE Symp. on Security and Privacy, May 2003.]] Google ScholarDigital Library
- A. Yaar, A. Perrig, and D. Song. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In IEEE Symp. on Security and Privacy, May 2004.]]Google ScholarCross Ref
- X. Yang, D. Wetherall, and T. Anderson. A DoS-limiting network architecture. In SIGCOMM, Aug. 2005.]] Google ScholarDigital Library
Index Terms
- DDoS defense by offense
Recommendations
DDoS defense by offense
SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communicationsThis paper presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that ...
DDoS defense by offense
This article presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests ...
Using Adaptive Bandwidth Allocation Approach to Defend DDoS Attacks
MUE '08: Proceedings of the 2008 International Conference on Multimedia and Ubiquitous EngineeringDenial of service attacks occur when the attacks are from a single host, whereas distributed denial of service attacks occur when multiple affected systems flood the bandwidth or resources of a targeted system. Although it is not possible to exempt ...
Comments