Empirical Study of Tolerating Denial-of-Service Attacks with a Proxy Network

Proxy networks have been proposed to protect applications from Denial-of-Service (DoS) attacks. However, since large-scale study in real networks is infeasible and most previous simulations have failed to capture detailed network behavior, the DoS resilience and performance implications of such use are not well understood in large networks. While post-mortems of actual large-scale attacks are useful, only limited dynamic behavior can be understood from these single instances. Our work provides the first detailed and broad study of this problem in large-scale realistic networks. The key is that we use an online network simulator to simulate a realistic large-scale network (comparable to several large ISPs). We use a generic proxy network, and deploy it in a large simulated network using typical real applications and DoS tools directly. We study detailed system dynamics under various attack scenarios and proxy network configurations. Specific results are as follows. First, rather than incurring a performance penalty, proxy networks can improve users' experienced performance. Second, proxy networks can effectively mitigate the impact of both spread and concentrated large-scale DoS attacks in large networks. Third, proxy networks provide scalable DoS-resilience - resilience can be scaled up to meet the size of the attack, enabling application performance to be protected. Resilience increases almost linearly with the size of a proxy network; that is, the attack traffic that a given proxy network can resist, while preserving a particular level of application performance, grows almost linearly with proxy network size. These results provide empirical evidence that proxy networks can be used to tolerate DoS attacks and quantitative guidelines for designing a proxy network to meet a resilience goal.

[1]  Kevin R. Fall,et al.  The NS Manual (Formerly NS Notes and Documentation , 2002 .

[2]  Xin Liu,et al.  Realistic Large-Scale Online Network Simulation , 2004, Proceedings of the ACM/IEEE SC2004 Conference.

[3]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[4]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[5]  Ratul Mahajan,et al.  A Study of the Performance Potential of DHT-based Overlays , 2003, USENIX Symposium on Internet Technologies and Systems.

[6]  Xin Liu,et al.  Traffic-based Load Balance for Scalable Network Emulation , 2003, ACM/IEEE SC 2003 Conference (SC'03).

[7]  Scott Shenker,et al.  Internet indirection infrastructure , 2002, SIGCOMM 2002.

[8]  Richard Wolski,et al.  Data logistics in network computing: the logistical session layer , 2001, Proceedings IEEE International Symposium on Network Computing and Applications. NCA 2001.

[9]  Kirk Lougheed,et al.  Border Gateway Protocol (BGP) , 2021, IP Routing Protocols.

[10]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[11]  Rami G. Melhem,et al.  Roaming honeypots for mitigating service-level denial-of-service attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[12]  Ibrahim Matta,et al.  BRITE: an approach to universal topology generation , 2001, MASCOTS 2001, Proceedings Ninth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[13]  Xin Liu,et al.  Validating and Scaling the MicroGrid: A Scientific Instrument for Grid Dynamics , 2004, Journal of Grid Computing.

[14]  Ion Stoica,et al.  Taming IP packet flooding attacks , 2004, Comput. Commun. Rev..

[15]  Angelos D. Keromytis,et al.  WebSOS: an overlay-based system for protecting web servers from denial of service attacks , 2005, Comput. Networks.

[16]  Ion Stoica,et al.  Towards a More Functional and Secure Network Infrastructure , 2003 .

[17]  Jon Postel,et al.  Internet Control Message Protocol , 1981, RFC.

[18]  David E. Culler,et al.  PlanetLab: an overlay testbed for broad-coverage services , 2003, CCRV.

[19]  Andrew A. Chien,et al.  Tolerating denial-of-service attacks using overlay networks: impact of topology , 2003, SSRS '03.

[20]  David M. Nicol,et al.  Simulating realistic network worm traffic for worm warning system design and testing , 2003, WORM '03.

[21]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM 2002.

[22]  Ju Wang,et al.  Understanding when location-hiding using overlay networks is feasible , 2006, Comput. Networks.

[23]  Dmitri Loguinov,et al.  Graph-theoretic analysis of structured peer-to-peer systems: routing distances and fault resilience , 2003, IEEE/ACM Transactions on Networking.

[24]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[25]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.