OverDoSe: A Generic DDoS Protection Service Using an Overlay Network

We present the design and implementation of OverDoSe, an overlay network offering generic DDoS protection for targeted sites. OverDoSe clients and servers are isolated at the IP level. Overlay nodes route packets between a client and a server, and regulate traffic according to the server’s instructions. Through the use of light-weight security primitives, OverDoSe achieves resilience against compromised overlay nodes with a minimal performance overhead. OverDoSe can be deployed by a single ISP who wishes to offer DDoS protection as a value-adding service to its customers.

[1]  David Mosberger,et al.  httperf—a tool for measuring web server performance , 1998, PERV.

[2]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[3]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[4]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[5]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[6]  Hui Zhang,et al.  Towards global network positioning , 2001, IMW '01.

[7]  Vijay Srinivasan,et al.  RSVP-TE: Extensions to RSVP for LSP Tunnels , 2001, RFC.

[8]  Mukund Seshadri,et al.  A scalable and robust solution for bandwidth allocation , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[9]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[10]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[11]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[12]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[13]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[14]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[15]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[16]  David G. Andersen Mayday: Distributed Filtering for Internet Services , 2003, USENIX Symposium on Internet Technologies and Systems.

[17]  Ion Stoica,et al.  Taming IP packet flooding attacks , 2004, Comput. Commun. Rev..

[18]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[19]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[20]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[21]  Angelos D. Keromytis,et al.  Countering DoS attacks with stateless multipath overlays , 2005, CCS '05.

[22]  Michael Walfish,et al.  DoS: Fighting fire with fire , 2005 .

[23]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[24]  Kamil Sarac,et al.  FONet : A Federated Overlay Network for DoS Defense in the Internet ( A Position Paper ) , 2005 .

[25]  Angelos D. Keromytis,et al.  WebSOS: an overlay-based system for protecting web servers from denial of service attacks , 2005, Comput. Networks.

[26]  Paul Francis,et al.  Firebreak: An IP Perimeter Defense Architecture , 2006 .

[27]  Emin Gün Sirer,et al.  ClosestNode.com: an open access, scalable, shared geocast service for distributed systems , 2006, OPSR.

[28]  Klaus Wehrle,et al.  OCALA: An Architecture for Supporting Legacy Applications over Overlays , 2006, NSDI.