Keeping Denial-of-Service Attackers in the Dark

Gal Badishi; Amir Herzberg; Idit Keidar

doi:10.1109/TDSC.2007.70209

Publication
2007
Issue No. 3 - July-September
Abstract - Keeping Denial-of-Service Attackers in the Dark

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Gal Badishi Articles by Amir Herzberg Articles by Idit Keidar

Keeping Denial-of-Service Attackers in the Dark

July-September 2007 (vol. 4 no. 3)

pp. 191-204

	ASCII Text	x
	Gal Badishi, Amir Herzberg, Idit Keidar, "Keeping Denial-of-Service Attackers in the Dark," IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 3, pp. 191-204, July-September, 2007.

	BibTex	x
	@article{ 10.1109/TDSC.2007.70209, author = {Gal Badishi and Amir Herzberg and Idit Keidar}, title = {Keeping Denial-of-Service Attackers in the Dark}, journal ={IEEE Transactions on Dependable and Secure Computing}, volume = {4}, number = {3}, issn = {1545-5971}, year = {2007}, pages = {191-204}, doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2007.70209}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Dependable and Secure Computing TI - Keeping Denial-of-Service Attackers in the Dark IS - 3 SN - 1545-5971 SP191 EP204 EPD - 191-204 A1 - Gal Badishi, A1 - Amir Herzberg, A1 - Idit Keidar, PY - 2007 KW - Protocols KW - Reliability KW - availability KW - and serviceability VL - 4 JA - IEEE Transactions on Dependable and Secure Computing ER -

Gal Badishi

Amir Herzberg

Idit Keidar

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2007.70209

We consider the problem of overcoming (Distributed) Denial of Service (DoS) attacks by realistic adversariesthat have knowledge of their attack' s successfulness, e.g., by observing service performance degradation,or by eavesdropping on messages or parts thereof. A solution for this problem in a high-speed networkenvironment necessitates lightweight mechanisms for differentiating between valid traffic and the attacker'spackets. The main challenge in presenting such a solution is to exploit existing packet filtering mechanismsin a way that allows fast processing of packets, but is complex enough so that the attacker cannot efficientlycraft packets that pass the filters. We show a protocol that mitigates DoS attacks by adversaries that caneavesdrop and (with some delay) adapt their attacks accordingly. The protocol uses only available, efficientpacket filtering mechanisms based mainly on addresses and port numbers. Our protocol avoids the use of fixedports, and instead performs 'pseudo-random port hopping' . We model the underlying packet-filtering servicesand define measures for the capabilities of the adversary and for the success rate of the protocol. Using these,we provide a novel rigorous analysis of the impact of DoS on an end-to-end protocol, and show that ourprotocol provides effective DoS prevention for realistic attack and deployment scenarios.

[1] D.G. Andersen, “Mayday: Distributed Filtering for Internet Services,” Proc. Fourth Usenix Symp. Internet Technologies and Systems (USITS '03), 2003.
[2] K. Argyraki and D.R. Cheriton, “Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks,” Proc. Usenix Ann. Technical Conf., Apr. 2005.
[3] R. Atkinson, Security Architecture for the Internet Protocol, IETF RFC 2401, 1998.
[4] G. Badishi, I. Keidar, and A. Sasson, “Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast,” Proc. 37th Ann. IEEE/IFIP Int'l Conf. Dependable Systems and Networks (DSN '04), pp. 223-232, June-July 2004.
[5] M. Collins and M.K. Reiter, “An Empirical Analysis of Target-Resident DoS Filters,” Proc. IEEE Symp. Security and Privacy, pp.103-114, May 2004.
[6] Computer Crime and Security Survey, Computer Security Inst./Federal Bureau of Investigation (CSI/FBI), 2003.
[7] V.D. Gligor, “Guaranteeing Access in Spite of Service-Flooding Attacks,” Proc. 11th Int'l Workshop Security Protocols, 2003.
[8] O. Goldreich, S. Goldwasser, and S. Micali, “How to Construct Random Functions,” J. Assoc. for Computing Machinery, vol. 33, no. 4, pp. 792-807, 1986.
[9] C. Jin, H. Wang, and K.G. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), V. Atluri and P. Liu, eds., pp. 30-41, Oct. 2003.
[10] J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites,” Proc. 11th Int'l World Wide Web Conf. (WWW '02), pp. 252-262, May 2002.
[11] “The Need for Pervasive Application-Level Attack Protection,” white paper, Juniper Networks, 2004.
[12] A.D. Keromytis, V. Misra, and D. Rubenstein, “SOS: An Architecture for Mitigating DDoS Attacks,” J. Selected Areas in Comm., vol. 21, no. 1, pp. 176-188, 2004.
[13] B. Krishnamurthy and J. Wang, “On Network-Aware Clustering of Web Clients,” Proc. ACM Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm. (SIGCOMM '00), Aug. 2000.
[14] H.C.J. Lee and V.L.L. Thing, “Port Hopping for Resilient Networks,” Proc. 60th IEEE Vehicular Technology Conf., Sept. 2004.
[15] P. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, “Controlling High Bandwidth Aggregates in the Network,” Computer Comm. Rev., vol. 32, no. 3, pp. 62-73, July 2002.
[16] D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity,” Proc. 10th Usenix Security Symp., pp. 9-22, Aug. 2001.
[17] W.G. Morein, A. Stavrou, D.L. Cook, A.D. Keromytis, V. Misra, and D. Rubenstein, “Using Graphic Turing Tests to Counter Automated DDoS Attacks against Web Servers,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), pp. 8-19, 2003.
[18] “Web Application Firewall: How NetContinuum Stops the 21 Classes of Web Application Threats,” white paper, NetContinuum, 2004.
[19] “DoS Protection,” white paper, P-Cube, 2004.
[20] “Minimizing the Effects of DoS Attacks,” white paper, P-Cube, 2004.
[21] “Defeating DDoS Attacks,” white paper, Riverhead Networks, 2004.
[22] S.M. Schwartz, “Frequency Hopping Spread Spectrum (FHSS) vs. Direct Sequence Spread Spectrum (DSSS) in the Broadband Wireless Access and WLAN Arenas,” white paper, 2001.
[23] A. Stavrou and A.D. Keromytis, “Countering DoS Attacks with Stateless Multipath Overlays,” Proc. 12th ACM Conf. Computer and Comm. Security (CCS '05), Nov. 2005.
[24] J. Wang, X. Liu, and A.A. Chien, “Empirical Study of Tolerating Denial-of-Service Attacks with a Proxy Network,” Proc. 14th Usenix Security Symp., 2005.
[25] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp. Security and Privacy, May 2003.
[26] A. Yaar, A. Perrig, and D. Song, “SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks,” Proc. IEEE Symp. Security and Privacy, May 2004.

Index Terms:

Protocols, Reliability, availability, and serviceability

Citation:

Gal Badishi, Amir Herzberg, Idit Keidar, "Keeping Denial-of-Service Attackers in the Dark," IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 3, pp. 191-204, July-Sept. 2007, doi:10.1109/TDSC.2007.70209

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.