A2M: Access-Assured Mobile Desktop Computing

Continued improvements in network bandwidth, cost, and ubiquitous access are enabling service providers to host desktop computing environments to address the complexity, cost, and mobility limitations of today's personal computing infrastructure. However, distributed denial of service attacks can deny use of such services to users. We present A2M, a secure and attack-resilient desktop computing hosting infrastructure. A2M combines a stateless and secure communication protocol, a single-hop Indirection-based network (IBN) and a remote display architecture to provide mobile users with continuous access to their desktop computing sessions. Our architecture protects both the hosting infrastructure and the client's connections against a wide range of service disruption attacks. Unlike any other DoS protection system, A2M takes advantage of its low-latency remote display mechanisms and asymmetric traffic characteristics by using multi-path routing to send a small number of replicas of each packet transmitted from client to server. This packet replication through different paths, diversifies the client-server communication, boosting system resiliency and reducing end-to-end latency. Our analysis and experimental results on PlanetLab demonstrate that A2M significantly increases the hosting infrastructure's attack resilience even for wireless scenarios. Using conservative ISP bandwidth data, we show that we can protect against attacks involving thousands (150,000) attackers, while providing good performance for multimedia and web applications and basic GUI interactions even when up to 30% and 50%, respectively, of indirection nodes become unresponsive.

[1]  Angelos D. Keromytis,et al.  MOVE: An End-to-End Solution to Network Denial of Service , 2005, NDSS.

[2]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[3]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[4]  Ramesh Govindan,et al.  COSSACK: Coordinated Suppression of Simultaneous Attacks , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[5]  Angelos D. Keromytis,et al.  Countering DoS attacks with stateless multipath overlays , 2005, CCS '05.

[6]  Rami G. Melhem,et al.  Roaming honeypots for mitigating service-level denial-of-service attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[7]  Jason Nieh,et al.  MobiDesk: mobile virtual desktop computing , 2004, MobiCom '04.

[8]  Xun Wang,et al.  Analyzing the secure overlay services architecture under intelligent DDoS attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[9]  Krishna P. Gummadi,et al.  Improving the Reliability of Internet Paths with One-hop Source Routing , 2004, OSDI.

[10]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[11]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[12]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[13]  Anees Shaikh,et al.  A comparison of overlay routing and multihoming route control , 2004, SIGCOMM 2004.

[14]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[15]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[16]  Jason Nieh,et al.  Measuring thin-client performance using slow-motion benchmarking , 2001, TOCS.

[17]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[18]  Sharon Crawford,et al.  Microsoft Windows NT Server 4.0 オフィシャルマニュアル , 1997 .

[19]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[20]  Georges G. Grinstein,et al.  The X window system , 1988, SIGGRAPH '88.

[21]  Angelos D. Keromytis,et al.  Using graphic turing tests to counter automated DDoS attacks against web servers , 2003, CCS '03.

[22]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[23]  Hari Balakrishnan,et al.  Best-path vs. multi-path overlay routing , 2003, IMC '03.

[24]  Andy Hopper,et al.  Virtual Network Computing , 1998, IEEE Internet Comput..

[25]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[26]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[27]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[28]  J. Duane Northcutt,et al.  The interactive performance of SLIM: a stateless, thin-client architecture , 1999, SOSP.

[29]  M. Orhon The X Window System , 2005 .

[30]  Jason Nieh,et al.  Limits of wide-area thin-client computing , 2002, SIGMETRICS '02.

[31]  Aleksandar Kuzmanovic,et al.  Drafting behind Akamai (travelocity-based detouring) , 2006, SIGCOMM '06.

[32]  Anees Shaikh,et al.  A comparison of overlay routing and multihoming route control , 2004, SIGCOMM '04.

[33]  Jason Nieh,et al.  THINC: a virtual display architecture for thin-client computing , 2005, SOSP '05.