A Lightweight Mechanism to Mitigate Application Layer DDoS Attacks

Application layer DDoS attacks, to which network layer solutions is not applicable as attackers are indistinguishable based on packets or protocols, prevent legitimate users from accessing services. In this paper, we propose Trust Management Helmet (TMH) as a partial solution to this problem, which is a lightweight mitigation mechanism that uses trust to differentiate legitimate users and attackers. Its key insight is that a server should give priority to protecting the connectivity of good users during application layer DDoS attacks, instead of identifying all the attack requests. The trust to clients is evaluated based on their visiting history, and used to schedule the service to their requests. We introduce license, for user identification (even beyond NATs) and storing the trust information at clients. The license is cryptographically secured against forgery or replay attacks. We realize this mitigation mechanism and implement it as a Java package and use it for simulation. Through simulation, we show that TMH is effective in mitigating session flooding attack: even with 20 times number of attackers, more than 99% of the sessions from legitimate users are accepted with TMH; whereas less than 18% are accepted without it.

[1]  Martin F. Arlitt,et al.  Web server workload characterization: the search for invariants , 1996, SIGMETRICS '96.

[2]  Rami G. Melhem,et al.  Live Baiting for Service-Level DoS Attackers , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[3]  Vijay Varadharajan,et al.  A Practical Method to Counteract Denial of Service Attacks , 2003, ACSC.

[4]  Vrizlynn L. L. Thing,et al.  Traffic Redirection Attack Protection System (TRAPS) , 2005 .

[5]  Evangelos P. Markatos,et al.  Misusing Unstructured P2P Systems to Perform DoS Attacks: The Network That Never Forgets , 2006, ACNS.

[6]  Angelos D. Keromytis,et al.  Using graphic turing tests to counter automated DDoS attacks against web servers , 2003, CCS '03.

[7]  Keith W. Ross,et al.  Exploiting P2P systems for DDoS attacks , 2006, InfoScale '06.

[8]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[9]  Mun Choon Chan,et al.  On the effectiveness of DDoS attacks on statistical filtering , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[10]  Supranamaya Ranjan,et al.  DDoS-Resilient Scheduling to Counter Application Layer Attacks Under Imperfect Detection , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[11]  Shun-Zheng Yu,et al.  A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors , 2009, TNET.

[12]  Michael Walfish,et al.  DDoS defense by offense , 2006, SIGCOMM 2006.

[13]  Vrizlynn L. L. Thing,et al.  Traffic Redirection Attack Protection System (TRAPS) - A Full-Fledged Adaptive DoS/DDoS Attack Mitigation Scheme , 2005, SEC.

[14]  Mudhakar Srivatsa,et al.  TrustGuard: countering vulnerabilities in reputation management for decentralized overlay networks , 2005, WWW '05.

[15]  Anja Feldmann,et al.  Rate of Change and other Metrics: a Live Study of the World Wide Web , 1997, USENIX Symposium on Internet Technologies and Systems.

[16]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[17]  M. Abliz Internet Denial of Service Attacks and Defense Mechanisms , 2011 .

[18]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[19]  Mudhakar Srivatsa,et al.  Mitigating application-level denial of service attacks on Web servers: A client-transparent approach , 2008, TWEB.

[20]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[21]  Zhoujun Li,et al.  Misusing Kademlia Protocol to Perform DDoS Attacks , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications.

[22]  Jie Yu,et al.  A Detection and Offense Mechanism to Defend Against Application Layer DDoS Attacks , 2007, International Conference on Networking and Services (ICNS '07).

[23]  Keith W. Ross,et al.  The Index Poisoning Attack in P2P File Sharing Systems , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[24]  Ernesto Damiani,et al.  Choosing reputable servents in a P2P network , 2002, WWW.

[25]  J. Mirkovic,et al.  Fine-grained capabilities for flooding DDoS defense using client reputations , 2007, LSAD '07.

[26]  Mun Choon Chan,et al.  A general model of probabilistic packet marking for IP traceback , 2008, ASIACCS '08.