Analyzing and improving the resistance of overlays against bandwidth exhaustion attacks

Private overlays, such as Virtual Private Networks (VPN), offer methods for a cheap and yet secure communication over the Internet. However, as our society becomes more and more dependent on it, these structures turn into vital targets for Denial-of-Service (DoS) attacks. As so-called botnets offer an inexpensive way to generate almost arbitrary amounts of traffic, the only effective measure that can be taken by overlay mechanisms is adapting the topology for minimal impact. This article presents novel metrics to estimate the impact of DoS attacks with different strengths. In particular random, greedy, and optimal attacks are considered, whereas for the optimal attacker we show that it involves NP-hard calculations. Based on the attacker models, several prerequisites for resilient overlay topologies, like a low constant node degree and high girth, are derived and validated by a simulation study.

[1]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[2]  Sheldon M. Ross,et al.  Probability Models for Computer Science , 2001 .

[3]  Angelos D. Keromytis,et al.  SOS: an architecture for mitigating DDoS attacks , 2004, IEEE Journal on Selected Areas in Communications.

[4]  M. A. Muñoz,et al.  Entangled networks, synchronization, and optimal network topology. , 2005, Physical review letters.

[5]  Jinyang Li,et al.  F2F: Reliable Storage in Open Networks , 2006, IPTPS.

[6]  Pak-Ken Wong,et al.  Cages - a survey , 1982, J. Graph Theory.

[7]  Fan Chung,et al.  Spectral Graph Theory , 1996 .

[8]  Jonathan F. Bard,et al.  Practical Bilevel Optimization: Algorithms and Applications , 1998 .

[9]  Günter Schäfer,et al.  Towards a Denial-of-Service Resilient Design of Complex IPsec Overlays , 2009, 2009 IEEE International Conference on Communications.

[10]  Xiaoming Fu,et al.  GONE: an infrastructure overlay for resilient, DoS-limiting networking , 2006, NOSSDAV '06.

[11]  Markus Meringer,et al.  Fast generation of regular graphs and construction of cages , 1999, J. Graph Theory.

[12]  Michael E. Lesk,et al.  The New Front Line: Estonia under Cyberassault , 2007, IEEE Security & Privacy.

[13]  Joshua E. Kastenberg,et al.  Georgia’s Cyber Left Hook , 2008, The US Army War College Quarterly: Parameters.

[14]  Norman Biggs,et al.  Constructions for Cubic Graphs with Large Girth , 1998, Electron. J. Comb..

[15]  Andrew A. Chien,et al.  Tolerating denial-of-service attacks using overlay networks: impact of topology , 2003, SSRS '03.

[16]  Geert Deconinck,et al.  Comparing Chord, CAN, and Pastry overlay networks for resistance to DoS attacks , 2008, 2008 Third International Conference on Risks and Security of Internet and Systems.

[17]  N. Linial,et al.  Expander Graphs and their Applications , 2006 .

[18]  N. Wormald,et al.  Models of the , 2010 .

[19]  Stephan Dempe,et al.  Foundations of Bilevel Programming , 2002 .

[20]  Günter Schäfer,et al.  A survey on automatic configuration of virtual private networks , 2011, Comput. Networks.

[21]  K. K. Ramakrishnan,et al.  Measurement based characterization and provisioning of IP VPNs , 2004, IMC '04.