This Article 
 Bibliographic References 
 Add to: 
On the Effectiveness of Secure Overlay Forwarding Systems under Intelligent Distributed DoS Attacks
July 2006 (vol. 17 no. 7)
pp. 619-632

Abstract—In the framework of a set of clients communicating with a critical server over the Internet, a recent approach to protect communication from Distributed Denial of Service (DDoS) attacks involves the usage of overlay systems. SOS, MAYDAY, and I3 are such systems. The architecture of these systems consists of a set of overlay nodes that serve as intermediate forwarders between the clients and the server, thereby controlling access to the server. Although such systems perform well under random DDoS attacks, it is questionable whether they are resilient to intelligent DDoS attacks which aim to infer architectures of the systems to launch more efficient attacks. In this paper, we define several intelligent DDoS attack models and develop analytical/simulation approaches to study the impacts of architectural design features of such overlay systems on the system performance in terms of path availability between clients and the server under attacks. Our data clearly demonstrate that the system performance is indeed sensitive to the architectural features and the different features interact with each other to impact overall system performance under intelligent DDoS attacks. Our observations provide important guidelines in the design of such secure overlay forwarding systems.

[1] J. Mirkovic and P. Reiher, “A Taxonomy of DDoS Attacks and Defense Mechanisms,” ACM SIGCOMM Computer Comm. Rev., vol. 34, no. 2, pp. 39-54, Apr. 2004.
[2] S. Savage, D. Wetherall, A.R. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” Proc. ACM SIGCOMM Conf., Aug. 2000.
[3] R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, “Controlling High Bandwidth Aggregates in the Network,” Proc. ACM SIGCOMM Computer Comm. Rev. (CCR), July 2002.
[4] K. Park and H. Lee, “On the Eeffectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets,” Proc. ACM SIGCOMM Conf., Aug. 2001.
[5] A. Kuzmanovic and E.W. Knightly, “Low-Rate TCP-Targeted Denial of Service Attacks (the Shrew vs. the Mice and Elephants),” Proc. ACM SIGCOMM Conf., Aug. 2003.
[6] A. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure Overlay Services,” Proc. ACM SIGCOMM, Aug. 2002.
[7] D. Andersen, “Mayday: Distributed Filtering for Internet Services,” Proc. USENIX Symp. Internet Technologies and Systems, Mar. 2003.
[8] I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana, “Internet Indirection Infrastructure,” Proc. ACM SIGCOMM Conf., Aug. 2002.
[9] X. Wang, S. Chellappan, P. Boyer, and D. Xuan, “Analyzing Secure Overlay Forwarding Systems Under Intelligent DDoS Attacks,” Technical Report OSU-CISRC-12/04-TR71, Dept. of Computer Science and Eng., The Ohio State Univ., June 2004.
[10] R. Stone, “Centertrack: An IP Overlay Network for Tracking DoS Floods,” Proc. Ninth USENIX Security Symp., Aug. 2000.
[11] D. Andersen, H. Balakrishnan, M. Kaashoek, and R. Morris, “Resilient Overlay Networks,” Proc. 18th ACM Symp. Operating Systems Principles (SOSP), Oct. 2001.
[12] S. Chen and R. Chow, “A New Perspective in Defending against DDoS,” Proc. 10th IEEE Workshop Future Trends of Distributed Computing Systems (FTDCS), May 2004.
[13] G. Badishi, I. Keidar, and A. Sasson, “Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast,” Proc. Int'l Conf. Dependable Systems and Networks (DSN), June 2004.
[14] J. Wang, L. Lu, and A.A. Chien, “Tolerating Denial-of-Service Attacks Using Overlay Networks— Impact of Overlay Network Topology,” Proc. ACM Workshop Survivable and Self-Regenerative Systems, Oct. 2003.
[15] M. Reiter and A. Rubin, “Crowds: Anonymity for Web Transactions,” ACM Trans. Information and System Security, vol. 1, no. 1, pp. 66-92, Nov. 1998.
[16] L. Xiao, Z. Xu, and X. Zhang, “Mutual Anonymity Protocols For Hybrid Peer-To-Peer Systems,” Proc. IEEE Int'l Conf. Distributed Computing Systems, May 2003.

Index Terms:
Secure overlay forwarding system, DDoS attacks.
Xun Wang, Sriram Chellappan, Phillip Boyer, Dong Xuan, "On the Effectiveness of Secure Overlay Forwarding Systems under Intelligent Distributed DoS Attacks," IEEE Transactions on Parallel and Distributed Systems, vol. 17, no. 7, pp. 619-632, July 2006, doi:10.1109/TPDS.2006.93
Usage of this product signifies your acceptance of the Terms of Use.