Defending P2Ps from Overlay Flooding-based DDoS

A flooding-based search mechanism is often used in unstructured P2P systems. Although a flooding-based search mechanism is simple and easy to implement, it is vulnerable to overlay distributed denial-of-service (DDoS) attacks. Most previous security techniques protect networks from network-layer DDoS attacks, but cannot be applied to overlay DDoS attacks. Overlay flooding-based DDoS attacks can be more damaging in that a small number of messages are inherently propagated to consume a large amount of bandwidth and computation resources. We propose a distributed and scalable method, DD-POLICE, to detect malicious nodes in order to defend P2P systems from overlay flooding-based DDoS attacks. We show the effectiveness of DD-POLICE by comprehensive simulation studies. We believe that deploying DD-POLICE will make P2P systems more scalable and robust.

[1]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[2]  Krishna P. Gummadi,et al.  An analysis of Internet content delivery systems , 2002, OPSR.

[3]  Michael Walfish,et al.  DDoS defense by offense , 2006, TOCS.

[4]  Wednesday September,et al.  2007 International Conference on Parallel Processing , 2007 .

[5]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[6]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[7]  Michael Walfish,et al.  DDoS defense by offense , 2006, SIGCOMM 2006.

[8]  Ari Juels,et al.  $evwu Dfw , 1998 .

[9]  Li Xiao,et al.  Improving unstructured peer-to-peer systems by adaptive connection establishment , 2005, IEEE Transactions on Computers.

[10]  Brent Waters,et al.  New client puzzle outsourcing techniques for DoS resistance , 2004, CCS '04.

[11]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[12]  Stefan Savage,et al.  Understanding Availability , 2003, IPTPS.

[13]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[14]  Bin Liu,et al.  Supporting Complex Multi-Dimensional Queries in P2P Systems , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[15]  Angelos D. Keromytis,et al.  Countering DoS attacks with stateless multipath overlays , 2005, CCS '05.

[16]  Steve Chien,et al.  A First Look at Peer-to-Peer Worms: Threats and Defenses , 2005, IPTPS.

[17]  Christos Gkantsidis,et al.  Hybrid search schemes for unstructured peer-to-peer networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[18]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[19]  Keith W. Ross,et al.  Exploiting P2P systems for DDoS attacks , 2006, InfoScale '06.

[20]  Hector Garcia-Molina,et al.  Query-flood DoS attacks in gnutella , 2002, CCS '02.

[21]  Michal Feldman,et al.  Workshop Report for 2nd International Workshop on Peer-to-Peer Systems (IPTPS '03) 21-22 February 2003 - Claremont Hotel, Berkeley, CA, USA , 2003, IPTPS.

[22]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[23]  Stefan Saroiu,et al.  A Measurement Study of Peer-to-Peer File Sharing Systems , 2001 .

[24]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[25]  David E. Culler,et al.  A blueprint for introducing disruptive technology into the Internet , 2003, CCRV.

[26]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[27]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[28]  Y. Charlie Hu,et al.  Assisted Peer-to-Peer Search with Partial Indexing , 2007, IEEE Transactions on Parallel and Distributed Systems.

[29]  Rayadurgam Srikant,et al.  Modeling and performance analysis of BitTorrent-like peer-to-peer networks , 2004, SIGCOMM 2004.

[30]  Edith Cohen,et al.  Search and replication in unstructured peer-to-peer networks , 2002, ICS '02.

[31]  Ian T. Foster,et al.  Mapping the Gnutella Network , 2002, IEEE Internet Comput..

[32]  Krishna P. Gummadi,et al.  Measurement, modeling, and analysis of a peer-to-peer file-sharing workload , 2003, SOSP '03.

[33]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[34]  Chun-Ying Huang,et al.  Quantifying Skype user satisfaction , 2006, SIGCOMM.

[35]  Shudong Jin,et al.  Exploiting dynamic querying like flooding techniques in unstructured peer-to-peer networks , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[36]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[37]  Jia Wang,et al.  Analyzing peer-to-peer traffic across large networks , 2002, IMW '02.