Michael Walfish
David Karger
Scott Shenker
Abstract
This article presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth so can react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidths, which is the intended result.
- Abadi, M., Burrows, M., Manasse, M., and Wobber, T. 2005. Moderately hard, memory-bound functions. ACM Trans. Inter. Tech. 5, 2. Google Scholar
Digital Library
- Agarwal, S., Dawson, T., and Tryfonas, C. 2003. DDoS mitigation via regional cleaning centers. Sprint ATL Res. rep. RR04-ATL-013177.Google Scholar
- Anderson, T., Roscoe, T., and Wetherall, D. 2003. Preventing Internet denial-of-service with capabilities. In Proceedings of the ACM Workshop on Hot Topics in Networks (HotNets).Google Scholar
- Aura, T., Nikander, P., and Leiwo, J. 2000. DoS-resistant authentication with client puzzles. In Proceedings of the International Workshop on Security Protocols. Google ScholarDigital Library
- Back, A. 2002. Hashcash—a denial of service counter-measure. http://www.cypherspace.org/adam/hashcash/hashcash.pdf.Google Scholar
- Balakrishnan, H., Rahul, H. S., and Seshan, S. 1999. An integrated congestion management architecture for Internet hosts. In Proceedings of the ACM SIGCOMM Conference. Google ScholarDigital Library
- Banga, G., Druschel, P., and Mogul, J. C. 1999. Resource containers: A new facility for resource management in server systems. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). Google ScholarDigital Library
- Boothe, P., Hiebert, J., and Bush, R. 2006. Short-lived prefix hijacking on the Internet. Presentation to nanog. http://www.nanog.org/mtg-0602/pdf/boothe.pdf.Google Scholar
- Brown, D. 2006. Gangsters hijack home PCs to choke internet with spam. The Times. http://business.timesonline.co.uk/tol/business/law/public_law/article649541.ece.Google Scholar
- CNET News. 2005. Bots slim down to get tough. http://news.com.com/Bots+slim+down+to+get+tough/2100-7355_3-5956143.html.Google Scholar
- Cooke, E., Jahanian, F., and McPherson, D. 2005. The zombie roundup: Understanding, detecting and disrupting botnets. In Proceedings of the USENIX Conference on Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI). Google ScholarDigital Library
- cyberslam. 2004. Criminal complaint filed Aug. 25, 2004, United States v. Ashley et al., No. 04 mj 02112 (Central District of California). http://www.reverse.net/operationcyberslam.pdf.Google Scholar
- Dagon, D., Zou, C., and Lee, W. 2006. Modeling botnet propagation using time zones. In Proceedings of the Conference on Network and Distributed System Security Symposium (NDSS).Google Scholar
- Dean, D. and Stubblefield, A. 2001. Using client puzzles to protect TLS. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- Demers, A., Keshav, S., and Shenker, S. 1995. Analysis and simulation of a fair queuing algorithm. ACM SIGCOMM Comput. Comm. Rev. 25, 1.Google Scholar
- Douceur, J. 2002. The sybil attack. In Proceedings of the International Workshop on Peer-to-Peer Systems (IPTPS). Google ScholarDigital Library
- Dwork, C., Goldberg, A., and Naor, M. 2003. On memory-bound functions for fighting spam. In Proceedings of CRYPTO.Google Scholar
- Dwork, C. and Naor, M. 1992. Pricing via processing or combatting junk mail. In Proceedings of CRYPTO. Google ScholarDigital Library
- eWEEK. 2006. Money bots: Hackers cash in on hijacked PCs. http://www.eweek.com/article2/0,1895,2013957,00.asp.Google Scholar
- Falk, E. 2006. New host cloaking technique used by spammers. http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-by.html.Google Scholar
- Feamster, N., Jung, J., and Balakrishnan, H. 2005. An empirical study of “bogon” route advertisements. ACM SIGCOMM Comput. Comm. Rev. 35, 1. Google ScholarDigital Library
- Feng, W. 2003. The case for TCP/IP puzzles. In Proceedings of the ACM SIGCOMM Workshop on Future Directions in Network Architecture. Google ScholarDigital Library
- Fraleigh, C., Moon, S., Lyles, B., Cotton, C., Khan, M., Moll, D., Rockell, R., Seely, T., and Diot, C. 2003. Packet-level traffic measurements from the Sprint IP backbone. IEEE Netw. 17, 6. Google ScholarDigital Library
- Freiling, F. C., Holz, T., and Wicherski, G. 2005. Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In Proceedings of the European Symposium on Research in Computer Security (ESORICS). Google ScholarDigital Library
- Gligor, V. D. 2003. Guaranteeing access in spite of distributed service-flooding attacks. In Proceedings of the International Workshop on Security Protocols. Google ScholarDigital Library
- Google Captcha. 2005. Stupid Google virus/spyware captcha page. http://plo.hostingprod.com/@spyblog.org.uk/blog/2005/06/13/stupid-google-virusspyware-cap.html.Google Scholar
- Gunter, C. A., Khanna, S., Tan, K., and Venkatesth, S. 2004. DoS protection for reliably authenticated broadcast. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Handley, M. 2005. In a presentation to Internet architecture working group, DoS-resistant Internet subgroup.Google Scholar
- Handley, M. and Greenhalgh, A. 2004. Steps towards a DoS-resistant Internet architecture. In Proceedings of the ACM SIGCOMM Workshop on Future Directions in Network Architecture. Google ScholarDigital Library
- Honeynet Project and Research Alliance. 2005. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots/.Google Scholar
- Juels, A. and Brainard, J. 1999. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of the Conference on Network and Distributed System Security Symposium (NDSS).Google Scholar
- Kandula, S., Katabi, D., Jacob, M., and Berger, A. 2005. Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI). Google ScholarDigital Library
- Knuth, D. E. 1998. The Art of Computer Programming 3rd Ed., Vol. 2. Addison-Wesley, Chapter 3.4.2.Google Scholar
- Kohler, E., Handley, M., and Floyd, S. 2006. Designing DCCP: Congestion control without reliability. In Proceedings of the ACM SIGCOMM Conference. Google ScholarDigital Library
- Krohn, M. 2004. Building secure high-performance Web services with OKWS. In Proceedings of the USENIX Technical Conference. Google ScholarDigital Library
- Laurie, B. and Clayton, R. 2004. “Proof-of-Work” proves not to work; version 0.2. http://www.cl.cam.ac.uk/users/rnc1/proofwork2.pdf.Google Scholar
- Lyon, B. 2006. Private communication.Google Scholar
- Mahimkar, A., Dange, J., Shmatikov, V., Vin, H., and Zhang, Y. 2007. dFence: Transparent network-based denial of service mitigation. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI). Google ScholarDigital Library
- Mankins, D., Krishnan, R., Boyd, C., Zao, J., and Frentz, M. 2001. Mitigating distributed denial of service attacks with dynamic resource pricing. In Proceedings of the IEEE Computer Security Applications Conference. Google ScholarDigital Library
- Mazières, D. 2001. A toolkit for user-level file systems. In Proceedings of the USENIX Technical Conference. Google ScholarDigital Library
- McLaughlin, L. 2004. Bot software spreads, causes new worries. IEEE Distrib. Syst. Online 5, 6. http://csdl2.computer.org/comp/mags/ds/2004/06/o6001.pdf. Google ScholarDigital Library
- McPherson, D. and Labovitz, C. 2006. Worldwide infrastructure security report, vol. II. Arbor Networks, Inc. http://www.arbor.net/downloads/worldwide_infrastructure_security_report_sept06.pdf.Google Scholar
- Mirkovic, J. and Reiher, P. 2004. A taxonomy of DDoS attacks and DDoS defense mechanisms. ACM SIGCOMM Comput. Comm. Rev. 34, 2. Google ScholarDigital Library
- Morein, W., Stavrou, A., Cook, D., Keromytis, A., Mishra, V., and Rubenstein, D. 2003. Using graphic Turing tests to counter automated DDoS attacks against Web servers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Network World. 2005. Extortion via DDoS on the rise. http://www.networkworld.com/news/2005/051605-ddos-extortion.html.Google Scholar
- Park, K., Pai, V. S., Lee, K.-W., and Calo, S. 2006. Securing Web service by automatic robot detection. In Proceedings of the USENIX Technical Conference. Google ScholarDigital Library
- Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., and Hu, Y.-C. 2007. Portcullis: Protecting connection setup from denial-of-capability attacks. In Proceedings of the ACM SIGCOMM Conference. Google ScholarDigital Library
- Pittsburgh Post-Gazette. 2003. CMU student taps brain's game skills. http://www.post-gazette.com/pg/03278/228349.stm.Google Scholar
- Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2006. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the ACM Internet Measurement Conference (IMC). Google ScholarDigital Library
- Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2007. My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). http://www.usenix.org/events/hotbots07/tech/full_papers/rajab/rajab.pdf. Google ScholarDigital Library
- Ramachandran, A. and Feamster, N. 2006. Understanding the network-level behavior of spammers. In Proceedings of the ACM SIGCOMM Conference. Google ScholarDigital Library
- Ramasubramanian, V. and Sirer, E. G. 2004. The design and implementation of a next generation name service for the Internet. In Proceedings of the ACM SIGCOMM Conference. Google ScholarDigital Library
- Ranjan, S., Swaminathan, R., Uysal, M., and Knightly, E. W. 2006. DDoS-resilient scheduling to counter application layer attacks under imperfect detection. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Society.Google Scholar
- Ratliff, E. 2005. The zombie hunters. The New Yorker.Google Scholar
- Register. 2003. East European gangs in online protection racket. http://www.theregister.co.uk/2003/11/12/east_european_gangs_in_online.Google Scholar
- Rhea, S., Godfrey, B., Karp, B., Kubiatowicz, J., Ratnasamy, S., Shenker, S., Stoica, I., and Yu, H. 2005. OpenDHT: A public DHT service and its uses. In Proceedings of the ACM SIGCOMM Conference. Google ScholarDigital Library
- SecurityFocus. 2004. FBI busts alleged DDoS mafia. http://www.securityfocus.com/news/9411.Google Scholar
- Sekar, V. 2007. Private communication.Google Scholar
- Sekar, V., Duffield, N., Spatscheck, O., van der Merwe, J., and Zhang, H. 2006. LADS: Large-scale automated DDoS detection system. In Proceedings of the USENIX Technical Conference. Google ScholarDigital Library
- Sherr, M., Greenwald, M., Gunter, C. A., Khanna, S., and Venkatesh, S. S. 2005. Mitigating DoS attack through selective bin verification. In Proceedings of the 1st Workshop on Secure Network Protocols. Google ScholarDigital Library
- Singh, K. K. 2006. Botnets—An introduction. Course Project, CS6262, Georgia Institute of Technology. http://www-static.cc.gatech.edu/classes/AY2006/cs6262_spring/botnets.ppt.Google Scholar
- Srivatsa, M., Iyengar, A., Yin, J., and Liu, L. 2006. A middleware system for protecting against application level denial of service attacks. In Proceedings of the ACM/IFIP/USENIX International Middleware Conference. Google ScholarDigital Library
- Stavrou, A., Ioannidis, J., Keromytis, A. D., Misra, V., and Rubenstein, D. 2004. A pay-per-use DoS protection mechanism for the Web. In Proceedings of the International Conference on Applied Cryptography and Network Security.Google Scholar
- Sturgeon, W. 2005. Denial of service attack victim speaks out. http://management.silicon.com/smedirector/0,39024679,39130810,00.htm.Google Scholar
- TechWeb News. 2005. Dutch botnet bigger than expected. http://informationweek.com/story/showArticle.jhtml?articleID=172303265.Google Scholar
- Thomas, D. 2005. Deterrence must be the key to avoiding DDoS attacks. http://www.vnunet.com/computing/analysis/2137395/deterrence-key-avoiding-ddos-attacks.Google Scholar
- Vasudevan, R., Mao, Z. M., Spatscheck, O., and van der Merwe, J. 2006. Reval: A tool for real-time evaluation of DDoS mitigation strategies. In Proceedings of the USENIX Technical Conference. Google ScholarDigital Library
- Vitter, J. S. 1985. Random sampling with a reservoir. ACM Trans. Math. Softw. 11, 1. Google ScholarDigital Library
- von Ahn, L., Blum, M., and Langford, J. 2004. Telling humans and computers apart automatically. Comm. ACM 47, 2. Google ScholarDigital Library
- Walfish, M., Balakrishnan, H., Karger, D., and Shenker, S. 2005. DoS: Fighting fire with fire. In Proceedings of the ACM Workshop on Hot Topics in Networks (HotNets).Google Scholar
- Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., and Shenker, S. 2006. DDoS defense by offense. In Proceedings of the ACM SIGCOMM Conference. Google ScholarDigital Library
- Wang, X. and Reiter, M. K. 2007. A multi-layer framework for puzzle-based denial-of-service defense. Int. J. Inform. Secur. Forthcoming and published online http://dx.doi.org/10.1007/s10207-007-0042-x. Google ScholarDigital Library
- Waters, B., Juels, A., Halderman, J. A., and Felten, E. W. 2004. New client puzzle outsourcing techniques for DoS resistance. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Weber, L. 2007a. Wikimedia request statistics. http://tools.wikimedia.de/~leon/stats/reqstats.Google Scholar
- Weber, L. 2007b. Wikimedia traffic statistics. http://tools.wikimedia.de/~leon/stats/trafstats.Google Scholar
- Yaar, A., Perrig, A., and Song, D. 2004. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Yang, X., Wetherall, D., and Anderson, T. 2005. A DoS-limiting network architecture. In Proceedings of the ACM SIGCOMM Conference. Google ScholarDigital Library
Index Terms
- DDoS defense by offense
Recommendations
DDoS defense by offense
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communicationsThis paper presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that ...
DDoS defense by offense
SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communicationsThis paper presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that ...
Using Adaptive Bandwidth Allocation Approach to Defend DDoS Attacks
MUE '08: Proceedings of the 2008 International Conference on Multimedia and Ubiquitous EngineeringDenial of service attacks occur when the attacks are from a single host, whereas distributed denial of service attacks occur when multiple affected systems flood the bandwidth or resources of a targeted system. Although it is not possible to exempt ...
Reviews
Ruay-Shiung Chang
Two methods are usually used to defend against distributed denial-of-service (DDoS) attacks: the first method provides lots of resources to satisfy requests, so that services cannot be denied; the other method builds a blacklist for denying requests. This paper proposes a different approach: allocate a fair amount of bandwidth and resources, such as central processing unit (CPU) time and memory, to each connection, instead of trying to distinguish who is and who isn't an attacker. The assumption is that attackers would use most of their uplink bandwidth to infiltrate; therefore, the method encourages all clients to promote their bandwidth usage. Under this scenario, malicious clients cannot react to the encouragement and good clients can obtain better service than before. This method has three main steps: limit requests to a defending server to a threshold; encourage all clients to send more traffic (for example, by resending the same message); and proportionally allocate bandwidth owned by the server according to the delivered bandwidth of all clients. The authors claim that the idea is also applicable to network address translation (NAT) and proxy environments. However, the corresponding evaluation is not included in Section 8, the experimental evaluation part. The claim that evaluation is based on local area networks (LANs) disregards the fact that, currently, many connect to the Internet via asymmetric digital subscriber lines (ADSLs). While users with bandwidth to spare could apply this method, most users are controlled by service providers or run peer-to-peer (P2P) applications. Bandwidth is not something that users can control. The paper is written in a question-and-answer style, and the first part reads like an advertisement. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments