Elsevier

Computer Networks

Volume 50, Issue 9, 20 June 2006, Pages 1281-1301
Computer Networks

A survivable DoS-resistant overlay network

https://doi.org/10.1016/j.comnet.2005.06.010Get rights and content

Abstract

Denial of Service (DoS) attacks pose significant threats. For mission-critical applications such as disaster recovery and battlefield coordination, any disruption can entail serious consequences. Most of the prior work on countering DoS has taken an offensive approach in that they focus on detecting and blocking the attacks. Such approaches are always in a tight “cat and mouse” race with the attackers. Indeed, more sophisticated and finer-grained distributed DoS attacks may evade detection altogether. We believe a more defensive approach whose primary objective is to survive the attacks by sustaining reasonable performance to legitimate clients should be a key part of a repertoire of tools to counter DoS.

In this paper, we present a survivable overlay network architecture called rewire that is purpose-built to resist DoS; it achieves this by dynamically “adapting” the overlay topology to maximize end-to-end connectivity between clients and end servers. The heart of rewire is a novel probing mechanism that is responsive to network state yet scalable. It yields high-performance paths as determined by application-level metrics. We evaluate rewire against recent overlay solutions to DoS, and show that rewire is able to achieve equivalent blocking probability (i.e., similar resistance to DoS attacks) in large network topologies (e.g., 100 overlay nodes over a physical network of 600 nodes) while reducing the probe overhead from the typical O(N) in other schemes to O(log N), where N is the number of overlay nodes.

Introduction

Denial of Service (DoS) continues to present a significant challenge. In fact, the frequency and magnitude of attacks in the Internet have been steadily increasing [1]. There have been a number of well publicized attacks such as the February 2000 attack on popular Web sites including Yahoo, CNN, EBay, etc., and the recent attacks on the root DNS servers. Also, the soaring popularity and utility of the Internet has led to it being increasingly used for time-critical applications. This has also created several “critical” nodes or networks that require resiliency.

One specific application is an Emergency Response Network for disaster response scenarios. During catastrophes, communication is critical between various federal, state and city emergency response agencies. More importantly, it is easy to conceive a scenario whereby certain static sites are accessed by mobile, roaming nodes to obtain information that is critical to resolving the emergency situations. The static sites could store information that is difficult to replicate due to security concerns or due to its dynamic nature. Some of this information could be real-time in nature and would have strict constraints (e.g., real-time streaming video would have minimum bandwidth constraints). The “clients” in the field (emergency workers, government agents, police, etc.) should be able to access this information from any location (i.e., any IP address) within the wide area network, since it is not always possible to predict their locations when emergencies strike. Note that it is also possible for the clients to update the information at the static sites. Therefore, communication paths of sufficient “quality” must be maintained between the two sides and must be protected from DoS attacks, while requiring clients to securely access the static sites. The Internet is intrinsically an open network which can (a) never be comprehensively protected against DoS; (b) Nor provide consistent performance. In this paper, we seek to build an overlay network on top of the Internet, that is (a) Resistant to DoS attacks; (b) selects high-quality paths to route packets between the clients and servers; (c) scales to support emergency scenarios of varying magnitudes.

Note that we primarily focus on DoS attacks caused by flooding the network with malicious traffic causing link and node saturation. Hosts can also be compromised and taken over by an attacker. We do not consider this form of attack in this paper. Interested readers can refer to our prior work [2] that describes the impact of such compromises and also presents mechanisms to minimize the damage of such attacks.

Although most DoS research focuses on the overloading of the end server hosts, DoS also disrupts services by congesting the communication path between clients and end server hosts, thus taking away bandwidth for legitimate client requests; we refer to this as the Network Dos. Abstractly, for the purpose of attack analysis, the end server host attack can be modeled also as a Network DoS. Specifically, an attack on an end server host with a fixed processing capability is equivalent to a Network DoS attack on a virtual “access” link that connects the host (now without any processing constraints) to the network and has a capacity “equivalent” to the processing capability of the end host.

There is no dearth of research in attempting to specifically counter DoS attacks. Indeed, a large variety of solutions have been proposed. Some of these approaches require significant changes to existing network elements, and thus may be costly to deploy; while others require collaboration across ISPs, and thus may be impractical. We observe that none of these approaches can guarantee complete protection from DoS, partly because the fundamental problem of detecting DoS attack is not resolved. We believe that outside of authenticating and tunneling all legitimate packets (thus effectively partitioning them from attack packets), there is no sure way to eliminate malicious traffic.1

Instead of trying to root out all malicious attacks, we take a more defensive approach.2 Specifically, we propose to construct an adaptive defense perimeter around the end servers that can maintain “sufficient” connectivity between legitimate clients and the end servers even in times of attacks. We follow two key principles in constructing this defense perimeter:

  • Redundancy—there are multiple entry and exit points to the perimeter. A client can access the perimeter via multiple entry points and the perimeter can reach the end servers via multiple exit points. Thus, to totally disable communication, an attack would need to take down multiple entry and exit points, which is a less manageable feat.

  • Resiliency—nodes within the perimeter are “richly” connected, thus making communication within the perimeter (in particular between the entry and exit points) highly resilient. In fact, traversal within the perimeter adapts to attacks, this not only adds another level of resiliency, it also provides performance benefits.

In a nutshell, the defense perimeter forms a highly “malleable” shield for the actual servers, and its “malleability” provides graceful degradation under attacks. It tries to actively shift overload by “rewiring” the defense perimeter. Our approach can nicely complement and can in fact be easily coupled with a more offensive approach to DoS. Specifically, filtering and traceback capabilities [3], [4] can be added to our perimeter to further isolate the attack traffic.3 The above characteristics, together with the desire to maximize application flexibility, suggest the use of overlay network to construct our perimeter.

Unlike the underlying physical network that is subject to routing policy constraints, a critical feature of an overlay network is that any node is virtually connected to every other node in the overlay. This rich connectivity comes with a price, however, in terms of performance and scalability. We propose a novel DoS-resistant overlay network architecture called rewire that overcomes this problem. rewire uses a distributed overlay routing algorithm which dynamically selects, for each overlay node, the “best” target node for accessing the end server and the best path (i.e., next hop) to reach that target node. The main contribution of this paper is a comprehensive DoS-resistant overlay architecture with a scalable distributed routing algorithm that has the following properties:

  • Connectivity: rewire maximizes the connectivity between a set of access points and a set of target nodes such that an end-to-end path between a client and an end server is “maximally” available.

  • Performance: rewire improves performance by “rewiring” the overlay to prefer good paths as determined by some application-level metrics.

  • Scalability: Fast response typically incurs significant overhead. This is particularly undesirable in times of DoS attacks as it will contribute negatively to the overall traffic. rewire’s scalable probing mechanism allows it to achieve similar performance of more aggressive schemes while incurring a significantly lower overhead in the order of O(log N) as compared to O(N), where N is the number of overlay nodes.

In Section 2, we present related work in this area, with particular focus on two specific schemes—Resilient Overlay Networks (RON) [5] and Secure Overlay Services (SOS) [6]—that are most relevant to our approach. We highlight the key features of rewire and its distinctions from these schemes. Section 3 describes rewire’s architecture, the attack model we assume and the design requirements. Section 4 presents rewire’s adaptive routing algorithm and describes its two main components: probing and rewiring. In Section 5, we present results of experimental evaluation of rewire, comparing it to a RON-like scheme as well as current shortest path routing. Section 6 provides some general discussion of rewire, including a number of implementation considerations. We conclude in Section 7.

Section snippets

Related work

There has been a lot of recent work, spanning a diverse number of approaches, to counter DoS attacks. Most approaches, however, tend to focus only on DoS attacks on hosts, and do not consider the impact on the network. Instead of surveying the field, we will focus our discussion to just a few relevant ones, especially the ones that adopt some form of overlays.

Resilient Overlay Networks (RON) [5] proposes the use of overlay networks for recovering from link outages and router failures. While RON

Architecture, model, and design requirements

In this section, we present the rewire overlay network architecture and describe the assumptions and the model for an attacker to launch a DoS attack on the rewire overlay and the underlying network. We also present the design requirements for a DoS-resistant overlay network.

rewire Algorithm

Since rewire is a distributed scheme where each overlay node runs the same algorithm, we only need to describe the behavior of one overlay node.

Evaluation

In this section, we describe the experimental set-up for evaluating the overlay routing mechanisms. We will use available bandwidth as a representative example of dynamic metrics. The use of this particular metric is useful against Denial of Service, since DoS eventually manifests itself in terms of network load primarily due to saturation of links. By picking paths with the maximum available bandwidth, the probability of maintaining connectivity between end-points is maximized. We evaluate

Initialization

In the initialization function shown in Fig. 5, for every target node, the value of the metric reaching any target is set to infinity, i.e., the best possible value; and this value does not change over time. This is based on the assumption that the targets are never bottleneck. To account for possible capacity limitation at a target, the target node can initialize its metric to a value corresponding to its maximum capacity. As a target starts serving requests, it can change the metric value

Conclusions

We presented an overlay network architecture called rewire that is purpose-built to mitigate DoS attacks. The key to rewire’s ability to survive an attack is by actively “rewiring” the overlay topology such that connectivity between legitimate clients and the end servers is sustained at all times, especially in times of attack. rewire in fact does even better than just preserving connectivity, it yields high-performance paths according to some application-level metrics, thus enhancing

Tian Bu received his Ph.D. in Computer Science from University of Massachusetts, Amherst in 2002. He has been at Bell Labs, Lucent Technologies since 2002 where he is a member of technical staff at the networking research Labs. His current research includes network security and network modeling and performance evaluation.

References (27)

  • R. Carter et al.

    Measuring bottleneck link speed in packet-switched networks

    Performance Evaluation

    (1996)
  • D. Moore, G. Voelker, G. Savage, Inferring internet denial of-service activity, in: Proc. of 10th USENIX Security...
  • T. Bu, S. Norden, T. Woo, Trading resiliency for security: model and algorithms, in: Proc. of International Conference...
  • J. Ioannidis, S.M. Bellovin, Implementing pushback: router based defense against DDoS attacks, in: Proc. of Network and...
  • A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, S.T. Kent, W.T. Strayer, Hash-based IP Traceback,...
  • D.G. Andersen, H. Balakrishnan, M.F. Kaashoek, R. Morris, Resilient overlay networks, in: Proc. of 18th ACM SOSP,...
  • A. Keromytis, V. Misra, D. Rubenstein, SOS: secure overlay services, in: Proc. of ACM SIGCOMM, August...
  • A. Collins, The Detour framework for packet rerouting, Ph.D. dissertation, University of Washington, October...
  • S. Savage et al.

    Detour: A case for informed internet routing and transport

    IEEE Micro

    (1999)
  • I. Stoica, R. Morris, D. Karger, F. Kaashoek, H. Balakrishnan, Chord: A scalable peer-to-peer lookup service for...
  • D. Cook, Analysis of routing algorithms for secure overlay service, Technical Report, cucs-010-02, Dept. of Computer...
  • B.Y. Zhao et al.

    Tapestry: A resilient global-scale overlay for service deployment

    IEEE Journal on Selected Areas in Communications

    (2004)
  • B.Y. Zhao, L. Huang, J. Stribling, A.D. Joseph, J.D. Kubiatowicz, Exploiting routing redundancy via structured...
  • Cited by (0)

    Tian Bu received his Ph.D. in Computer Science from University of Massachusetts, Amherst in 2002. He has been at Bell Labs, Lucent Technologies since 2002 where he is a member of technical staff at the networking research Labs. His current research includes network security and network modeling and performance evaluation.

    Samphel Norden received a B.S. (1998) from Indian Institute of Technology, Madras and Doctor of Science (D.Sc.) (2002) degrees in Computer Science from Washington University in St. Louis. He is currently a Member of Technical Staff (MTS) in the Center for Mobile Networking Research in Lucent Bell Laboratories. His research interests include Mobile Networking, Denial-of-Service detection and prevention, Inter-domain QoS routing, Overlay Networks and Wireless Security.

    Thomas Woo is a Director in the Networking Research Laboratory at Bell Labs. He leads research in both the Mobile Networking and Internet Management Research Departments. Previously, he had headed the Networking Systems Research Department. In between, he spent two years in RedWave Networks, a Silicon Valley startup, as Chief Network Architect and VP of Software Engineering.

    His main research focus is in the area of networking and security, spanning both wireline and wireless areas. He is particularly interested in the design and architecture issues in next-generation networks and elements. His research typically has a strong system prototyping aspect; some of the systems Thomas has built include: Wireless Data Server—a next generation wireless data platform for providing both narrowband and broadband services, VIPER—a high-density carrier-class IP edge router and a multi-service metro wireless router. Most recently, he has been working on open router architecture using disaggregated control and forwarding, wireless denial of service attacks, and Voice over IP systems and protocols.

    He has authored many research articles that appeared in various conference proceedings and journals. He has received more than 10 US patents, and served on the program committees for various networking conferences, including ACM SIGCOMM and IEEE INFOCOM. In 2005, he was awarded the ACM Software Systems Award for his original work on Secure Network Programming, an approach to providing security over the socket layer. He is an Editor of IEEE Wireless Communications and was an adjunct faculty member at the University of Pennsylvania.

    He received his B.Sc. degree in Computer Science (First Class Honor) from the University of Hong Kong, and his M.S. and Ph.D. degrees in Computer Science from the University of Texas at Austin.

    View full text