论文信息 - Defending networked resources against floods of unwelcome requests

Defending networked resources against floods of unwelcome requests

e Internet is a icted by “unwelcome requests”, de ned broadly as spurious claims on scarce resources. For example, the CPU and other resources at a server are targets of denial-of-service (DoS) attacks. Another example is spam (i.e., unsolicited bulk email); here, the resource is human attention. Absent any defense, a very small number of attackers can claim a very large fraction of the scarce resources. Traditional responses identify “bad” requests based on content (for example, spam lters analyze email text and embedded URLs). We argue that such approaches are inherently gameable because motivated attackers can make “bad” requests look “good”. Instead, defenses should aim to allocate resources proportionally (so if 10% of the requesters are “bad”, they should be limited to 10% of the scarce resources). To meet this goal, we present the design, implementation, analysis, and experimental evaluation of two systems. e rst, speak-up, defends servers against application-level denial-of-service by encouraging all clients to automatically send more trafc. e “good” clients can thereby compete equally with the “bad” ones. Experiments with an implementation of speak-up indicate that it allocates a server’s resources in rough proportion to clients’ upload bandwidths, which is the intended result. e second system, DQE, controls spam with per-sender email quotas. Under DQE, senders attach stamps to emails. Receivers communicate with a well-known, untrusted enforcer to verify that stamps are fresh and to cancel stamps to prevent reuse. e enforcer is distributed over multiple hosts and is designed to tolerate arbitrary faults in these hosts, resist various attacks, and handle hundreds of billions of messages daily (two or three million stamp checks per second). Our experimental results suggest that our implementation can meet these goals with only a few thousand PCs. e enforcer occupies a novel design point: a set of hosts implement a simple storage abstraction but avoid neighbor maintenance, replica maintenance, and mutual trust. One connection between these systems is that DQE needs a DoS defense—and can use speak-up. We re ect on this connection, on why we apply speak-up to DoS and DQE to spam, and, more generally, on what problems call for which solutions. Dissertation Supervisor: Hari Balakrishnan Title: Professor To Jack and Ruth Radin

Michael Walfish | Michael Walfish

[1] Tao Yang,et al. Integrated resource management for cluster-based Internet services , 2002, OSDI.

[2] Fred B. Schneider,et al. Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[3] Michael Walfish,et al. Distributed Quota Enforcement for Spam Control , 2006, NSDI.

[4] Mark Handley,et al. Designing DCCP: congestion control without reliability , 2006, SIGCOMM.

[5] Angelos D. Keromytis,et al. Using graphic turing tests to counter automated DDoS attacks against web servers , 2003, CCS '03.

[6] MirkovicJelena,et al. A taxonomy of DDoS attack and DDoS defense mechanisms , 2004 .

[7] David E. Culler,et al. SEDA: an architecture for well-conditioned, scalable internet services , 2001, SOSP.

[8] J. Zittrain,et al. Spam Works: Evidence from Stock Touts and Corresponding Market Activity , 2007 .

[9] Wu-chang Feng,et al. The case for TCP/IP puzzles , 2003, FDNA '03.

[10] Rodrigo Rodrigues,et al. Rosebud: A Scalable Byzantine-Fault-Tolerant Storage Architecture , 2003 .

[11] Moni Naor,et al. On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[12] Benjamin Kuipers,et al. Zmail: zero-sum free market control of spam , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[13] Adi Shamir,et al. PayWord and MicroMint: Two Simple Micropayment Schemes , 1996, Security Protocols Workshop.

[14] David R. Karger,et al. Chord: a scalable peer-to-peer lookup protocol for internet applications , 2003, TNET.

[15] Alptekin Küpçü,et al. Making p2p accountable without losing privacy , 2007, WPES '07.

[16] James Grimmelmann,et al. Policy Responses to Spam , 2005 .

[17] Chase Cotton,et al. Packet-level traffic measurements from the Sprint IP backbone , 2003, IEEE Netw..

[18] Robert Tappan Morris,et al. Designing a DHT for Low Latency and High Throughput , 2004, NSDI.

[19] Analysis and Simulation of a Fair Queuing Algorithm , 2008 .

[20] Martín Abadi,et al. Bankable Postage for Network Services , 2003, ASIAN.

[21] Adam Stubblefield,et al. Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[22] Virgil D. Gligor. Guaranteeing Access in Spite of Distributed Service-Flooding Attacks , 2003, Security Protocols Workshop.

[23] Farnam Jahanian,et al. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[24] Xiaoyun Wang,et al. Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[25] Marshall W. Van Alstyne,et al. An Economic Response to Unsolicited Communication , 2005 .

[26] Brighten Godfrey,et al. OpenDHT: a public DHT service and its uses , 2005, SIGCOMM '05.

[27] Hugo Krawczyk,et al. HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[28] Mudhakar Srivatsa,et al. A Middleware System for Protecting Against Application Level Denial of Service Attacks , 2006, Middleware.

[29] Felix C. Freiling,et al. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[30] Gerald Fortney. A private conversation , 1997 .

[31] Mihir Bellare,et al. The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[32] Ted Wobber,et al. Moderately hard, memory-bound functions , 2005, TOIT.

[33] Srinivasan Seshan,et al. An integrated congestion management architecture for Internet hosts , 1999, SIGCOMM '99.

[34] Russ Bubley,et al. Randomized algorithms , 1995, CSUR.

[35] David E. Culler,et al. Scalable, distributed data structures for internet service construction , 2000, OSDI.

[36] Vyas Sekar,et al. LADS: Large-scale Automated DDoS Detection System , 2006, USENIX Annual Technical Conference, General Track.

[37] Angelos D. Keromytis,et al. A Pay-per-Use DoS Protection Mechanism for the Web , 2004, ACNS.

[38] Jean-Sébastien Coron,et al. On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[39] Xiaowei Yang,et al. A DoS-limiting network architecture , 2005, SIGCOMM '05.

[40] David Mazières,et al. Democratizing Content Publication with Coral , 2004, NSDI.

[41] David Mazières,et al. RE: Reliable Email , 2006, NSDI.

[42] David Thomas,et al. The Art in Computer Programming , 2001 .

[43] Sally Floyd,et al. Wide-Area Traffic: The Failure of Poisson Modeling , 1994, SIGCOMM.

[44] Kang-Won Lee,et al. Securing Web Service by Automatic Robot Detection , 2006, USENIX Annual Technical Conference, General Track.

[45] Ben Laurie,et al. \Proof-of-Work" Proves Not to Work , 2004 .

[46] Vinod Yegneswaran,et al. An Inside Look at Botnets , 2007, Malware Detection.

[47] Joshua Goodman,et al. Stopping outgoing spam , 2004, EC '04.

[48] Emil Sit,et al. An empirical study of spam traffic and the use of DNS black lists , 2004, IMC '04.

[49] Indranil Gupta,et al. Kelips: Building an Efficient and Stable P2P DHT through Increased Memory and Background Overhead , 2003, IPTPS.

[50] John Langford,et al. Telling humans and computers apart automatically , 2004, CACM.

[51] Nick Feamster,et al. An empirical study of "bogon" route advertisements , 2005, CCRV.

[52] Leslie G. Valiant,et al. Fast probabilistic algorithms for hamiltonian circuits and matchings , 1977, STOC '77.

[53] Ben Laurie,et al. “ Proof-of-Work ” Proves Not to Work version 0 . 2 , 2004 .

[54] Jeffrey Scott Vitter,et al. Random sampling with a reservoir , 1985, TOMS.

[55] David R. Karger,et al. Looking up data in P2P systems , 2003, CACM.

[56] Moni Naor,et al. Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[57] C.A. Gunter,et al. Mitigating DoS attack through selective bin verification , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[58] Rangarajan Vasudevan,et al. Reval: A Tool for Real-time Evaluation of DDoS Mitigation Strategies , 2006, USENIX Annual Technical Conference, General Track.

[59] Dennis Shasha,et al. Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[60] Adam Back,et al. Hashcash - A Denial of Service Counter-Measure , 2002 .

[61] S. Agarwal,et al. DDoS Mitigation via Regional Cleaning Centers , 2003 .

[62] David R. Karger,et al. Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the World Wide Web , 1997, STOC '97.

[63] B. Krishnamurthy,et al. SHRED : Spam Harassment Reduction via Economic Disincentives , 2004 .

[64] Laurianne McLaughlin,et al. Bot software spreads, causes new worries , 2004, IEEE Distributed Systems Online.

[65] Michael Dahlin,et al. BAR fault tolerance for cooperative services , 2005, SOSP '05.

[66] Miguel Castro,et al. Secure routing for structured peer-to-peer overlay networks , 2002, OSDI '02.

[67] Gordon V. Cormack,et al. Spam and the ongoing battle for the inbox , 2007, CACM.

[68] Michael K. Reiter,et al. Byzantine quorum systems , 1997, STOC '97.

[69] N. S. Barnett,et al. Private communication , 1969 .

[70] Peter Druschel,et al. Lazy receiver processing (LRP): a network subsystem architecture for server systems , 1996, OSDI '96.

[71] Michael K. Reiter,et al. A multi-layer framework for puzzle-based denial-of-service defense , 2008, International Journal of Information Security.

[72] Peter Druschel,et al. Resource containers: a new facility for resource management in server systems , 1999, OSDI '99.

[73] David Mazières,et al. A Toolkit for User-Level File Systems , 2001, USENIX Annual Technical Conference, General Track.

[74] Mark Handley,et al. Steps towards a DoS-resistant internet architecture , 2004, FDNA '04.

[75] Mihir Bellare,et al. Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[76] Rajesh Krishnan,et al. Mitigating distributed denial of service attacks with dynamic resource pricing , 2001, Seventeenth Annual Computer Security Applications Conference.

[77] Supranamaya Ranjan,et al. DDoS-Resilient Scheduling to Counter Application Layer Attacks Under Imperfect Detection , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[78] Nicolas Ianelli,et al. Botnets as a Vehicle for Online Crime , 2007 .

[79] Michael K. Reiter,et al. Secure and scalable replication in Phalanx , 1998, Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281).

[80] Maxwell N. Krohn,et al. Building Secure High-Performance Web Services with OKWS , 2004, USENIX Annual Technical Conference, General Track.

[81] Jan Camenisch,et al. Compact E-Cash , 2005, EUROCRYPT.

[82] Martín Abadi,et al. The Millicent Protocol for Inexpensive Electronic Commerce , 1995, World Wide Web J..

[83] Miguel Castro,et al. Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[84] Larry Peterson,et al. Defensive programming: using an annotation toolkit to build DoS-resistant software , 2002, OSDI '02.

[85] Andreas Terzis,et al. A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[86] Srikanth Kandula,et al. Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[87] David Wetherall,et al. Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[88] Scott E. Fahlman,et al. Selling interrupt rights: A way to control unwanted e-mail and telephone calls , 2002, IBM Syst. J..

[89] Andreas Terzis,et al. My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.

[90] David E. Culler,et al. USENIX Association Proceedings of USITS ’ 03 : 4 th USENIX Symposium on Internet Technologies and Systems , 2003 .

[91] Vitaly Shmatikov,et al. dFence: Transparent Network-based Denial of Service Mitigation , 2007, NSDI.