| | This Article | |
| |
| |
| | Share | |
| |
| |
| | Bibliographic References | |
| |
| |
| | Add to: | |
| |
 Digg
 Furl
 Spurl
 Blink
 Simpy
 Google
 Del.icio.us
 Y!MyWeb
| |
| | Search | |
| |
| |
| | |
Keeping Denial-of-Service Attackers in the Dark
July-September 2007 (vol. 4 no. 3)
pp. 191-204
We consider the problem of overcoming (Distributed) Denial of Service (DoS) attacks by realistic adversariesthat have knowledge of their attack' s successfulness, e.g., by observing service performance degradation,or by eavesdropping on messages or parts thereof. A solution for this problem in a high-speed networkenvironment necessitates lightweight mechanisms for differentiating between valid traffic and the attacker'spackets. The main challenge in presenting such a solution is to exploit existing packet filtering mechanismsin a way that allows fast processing of packets, but is complex enough so that the attacker cannot efficientlycraft packets that pass the filters. We show a protocol that mitigates DoS attacks by adversaries that caneavesdrop and (with some delay) adapt their attacks accordingly. The protocol uses only available, efficientpacket filtering mechanisms based mainly on addresses and port numbers. Our protocol avoids the use of fixedports, and instead performs 'pseudo-random port hopping' . We model the underlying packet-filtering servicesand define measures for the capabilities of the adversary and for the success rate of the protocol. Using these,we provide a novel rigorous analysis of the impact of DoS on an end-to-end protocol, and show that ourprotocol provides effective DoS prevention for realistic attack and deployment scenarios.
[1] 191 D.G. Andersen, “Mayday: Distributed Filtering for Internet Services,” Proc. Fourth Usenix Symp. Internet Technologies and Systems (USITS '03), 2003.[2] K. Argyraki and D.R. Cheriton, “Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks,” Proc. Usenix Ann. Technical Conf., Apr. 2005.[3] R. Atkinson, Security Architecture for the Internet Protocol, IETF RFC 2401, 1998.[4] G. Badishi, I. Keidar, and A. Sasson, “Exposing and Eliminating Vulnerabilities to Denial of Service Attacks in Secure Gossip-Based Multicast,” Proc. 37th Ann. IEEE/IFIP Int'l Conf. Dependable Systems and Networks (DSN '04), pp. 223-232, June-July 2004.[5] M. Collins and M.K. Reiter, “An Empirical Analysis of Target-Resident DoS Filters,” Proc. IEEE Symp. Security and Privacy, pp.103-114, May 2004.[6] Computer Crime and Security Survey, Computer Security Inst./Federal Bureau of Investigation (CSI/FBI), 2003.[7] V.D. Gligor, “Guaranteeing Access in Spite of Service-Flooding Attacks,” Proc. 11th Int'l Workshop Security Protocols, 2003.[8] O. Goldreich, S. Goldwasser, and S. Micali, “How to Construct Random Functions,” J. Assoc. for Computing Machinery, vol. 33, no. 4, pp. 792-807, 1986.[9] C. Jin, H. Wang, and K.G. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), V. Atluri and P. Liu, eds., pp. 30-41, Oct. 2003.[10] J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites,” Proc. 11th Int'l World Wide Web Conf. (WWW '02), pp. 252-262, May 2002.[11] “The Need for Pervasive Application-Level Attack Protection,” white paper, Juniper Networks, 2004.[12] A.D. Keromytis, V. Misra, and D. Rubenstein, “SOS: An Architecture for Mitigating DDoS Attacks,” J. Selected Areas in Comm., vol. 21, no. 1, pp. 176-188, 2004.[13] B. Krishnamurthy and J. Wang, “On Network-Aware Clustering of Web Clients,” Proc. ACM Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm. (SIGCOMM '00), Aug. 2000.[14] H.C.J. Lee and V.L.L. Thing, “Port Hopping for Resilient Networks,” Proc. 60th IEEE Vehicular Technology Conf., Sept. 2004.[15] P. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, “Controlling High Bandwidth Aggregates in the Network,” Computer Comm. Rev., vol. 32, no. 3, pp. 62-73, July 2002.[16] D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial-of-Service Activity,” Proc. 10th Usenix Security Symp., pp. 9-22, Aug. 2001.[17] W.G. Morein, A. Stavrou, D.L. Cook, A.D. Keromytis, V. Misra, and D. Rubenstein, “Using Graphic Turing Tests to Counter Automated DDoS Attacks against Web Servers,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), pp. 8-19, 2003.[18] “Web Application Firewall: How NetContinuum Stops the 21 Classes of Web Application Threats,” white paper, NetContinuum, 2004.[19] “DoS Protection,” white paper, P-Cube, 2004.[20] “Minimizing the Effects of DoS Attacks,” white paper, P-Cube, 2004.[21] “Defeating DDoS Attacks,” white paper, Riverhead Networks, 2004.[22] S.M. Schwartz, “Frequency Hopping Spread Spectrum (FHSS) vs. Direct Sequence Spread Spectrum (DSSS) in the Broadband Wireless Access and WLAN Arenas,” white paper, 2001.[23] A. Stavrou and A.D. Keromytis, “Countering DoS Attacks with Stateless Multipath Overlays,” Proc. 12th ACM Conf. Computer and Comm. Security (CCS '05), Nov. 2005.[24] J. Wang, X. Liu, and A.A. Chien, “Empirical Study of Tolerating Denial-of-Service Attacks with a Proxy Network,” Proc. 14th Usenix Security Symp., 2005.[25] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp. Security and Privacy, May 2003.[26] A. Yaar, A. Perrig, and D. Song, “SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks,” Proc. IEEE Symp. Security and Privacy, May 2004.
Index Terms:
Protocols, Reliability, availability, and serviceability
Citation:
Gal Badishi, Amir Herzberg, Idit Keidar, "Keeping Denial-of-Service Attackers in the Dark," IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 3, pp. 191-204, July-Sept. 2007, doi:10.1109/TDSC.2007.70209
