论文信息 - A Deployable Architecture against Application-level DDoS Attacks

A Deployable Architecture against Application-level DDoS Attacks

In application-level DDoS attacks, attackers mimic legitimate client behavior by sending proper-looking requests via bots. The previous DDoS solutions focus on bandwidth flooding attacks, and have encountered significant difficulty in deployment. This paper presents a deployable architecture that counts the application-level DDoS attacks against Web servers by combining overlay and IP anycast. In this architecture, when a protected Web server is under attacks, the traffic to the server will be redirected to an overlay via IP anycast. The overlay nodes provide effective protection to the server by the distributed filter, the distributed traffic control, and also by building a temporary collaborative edge Web cache. We demonstrate that this novel architecture has strong incentives to deploy and is able to be deployed by a single ISP without any modifications to implementation of routers and end host. We then discuss its properties and design challenges.

[1] Balachander Krishnamurthy,et al. Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[2] Xiaowei Yang,et al. A DoS-limiting network architecture , 2005, SIGCOMM '05.

[3] Angelos D. Keromytis,et al. SOS: secure overlay services , 2002, SIGCOMM '02.

[4] David R. Karger,et al. Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[5] Ratul Mahajan,et al. Controlling high bandwidth aggregates in the network , 2002, CCRV.

[6] Rynson W. H. Lau,et al. Knowledge and Data Engineering for e-Learning Special Issue of IEEE Transactions on Knowledge and Data Engineering , 2008 .

[7] Yu Chen,et al. Evaluation of edge caching/offloading for dynamic content delivery , 2003, WWW '03.

[8] Yu Chen,et al. Evaluation of edge caching/off loading for dynamic content delivery , 2004, IEEE Transactions on Knowledge and Data Engineering.

[9] Anna R. Karlin,et al. Practical network support for IP traceback , 2000, SIGCOMM.

[10] Michael Walfish,et al. DDoS defense by offense , 2006, TOCS.

[11] Mark Handley,et al. Steps towards a DoS-resistant internet architecture , 2004, FDNA '04.

[12] Srikanth Kandula,et al. Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[13] Gang Peng,et al. CDN: Content Distribution Network , 2004, ArXiv.