Rebound Wall, A Novel Technology against DoS Attacks

DoS/DDoS attacks have become one of the most critical security problems in today’s network systems, which is easy to launch by hackers but hard to protect by victims. This paper presents a novel and robust mechanism, named Rebound Wall, which proves very effective to protect a victim server from DoS attacks and easy to deploy in practice. The rebound wall comprises of available machines in the LAN, surrounding the core server. Unlike the existing DoS defense techniques which rely much on marking and/or filtering, the rebound wall utilizes roaming crypt-doors. Valid requests can only go through a designated entrance to the server. These entrance machines are roaming over the rebound wall, so that hackers cannot find the target to launch effective attacks. Some other new technologies and protocols that are necessary to furnish the rebound wall technology are also presented in this paper, including Floating Entrance, Entrance Switch, User-end Authentication, Entrance-based Privilege Control, and Traceback. A survivability model is further built for the rebound wall based on a CTMC. A rebound wall was implemented in reality. Both experimental data and analytical results validated the effectiveness, efficiency, and robustness of the rebound wall technology. We finally compare the rebound wall with other related and advanced technologies against DoS/DDoS.

[1]  István Vajda,et al.  Protection against DDoS Attacks Based on Traffic Level Measurements , 2004 .

[2]  Lance Spitzner,et al.  The Honeynet Project: Trapping the Hackers , 2003, IEEE Secur. Priv..

[3]  Jelena Mirkovic,et al.  Alliance formation for DDoS defense , 2003, NSPW '03.

[4]  Yuan-Shun Dai,et al.  Computing systems reliability - models and analysis , 2004 .

[5]  Gene Tsudik,et al.  Secure spread: an integrated architecture for secure group communication , 2005, IEEE Transactions on Dependable and Secure Computing.

[6]  Wanlei Zhou,et al.  A Defense System against DDoS Attacks by Large-Scale IP Traceback , 2005, Third International Conference on Information Technology and Applications (ICITA'05).

[7]  Dawn Song,et al.  StackPi: A New Defense Mechanism against IP Spoofing and DDoS Attacks , 2003 .

[8]  Idit Keidar,et al.  Exposing and eliminating vulnerabilities to denial of service attacks in secure gossip-based multicast , 2004, International Conference on Dependable Systems and Networks, 2004.

[9]  Meng Zhang,et al.  Simulating and Improving Probabilistic Packet Marking Schemes Using Ns2 , 2005, Sixth International Conference on Parallel and Distributed Computing Applications and Technologies (PDCAT'05).

[10]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[11]  Rami G. Melhem,et al.  Roaming honeypots for mitigating service-level denial-of-service attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[12]  Zhang Shu,et al.  Denying Denial-of-Service Attacks: A Router Based Solution , 2003, International Conference on Internet Computing.

[13]  Yuan-Shun Dai,et al.  Modeling and analysis of correlated software failures of multiple types , 2005, IEEE Trans. Reliab..

[14]  Angelos D. Keromytis,et al.  SOS: an architecture for mitigating DDoS attacks , 2004, IEEE Journal on Selected Areas in Communications.

[15]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.

[16]  R. V. van Nieuwpoort,et al.  The Grid 2: Blueprint for a New Computing Infrastructure , 2003 .

[17]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[18]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[19]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[20]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.