Adaptive Selective Verification: An Efficient Adaptive Countermeasure to Thwart DoS Attacks

Denial-of-service (DoS) attacks are considered within the province of a shared channel model in which attack rates may be large but are bounded and client request rates vary within fixed bounds. In this setting, it is shown that clients can adapt effectively to an attack by increasing their request rate based on timeout windows to estimate attack rates. The server will be able to process client requests with high probability while pruning out most of the attack by selective random sampling. The protocol introduced here, called Adaptive Selective Verification (ASV), is shown to use bandwidth efficiently and does not require any server state or assumptions about network congestion. The main results of the paper are a formulation of optimal performance and a proof that ASV is optimal.

[1]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[2]  Xiaowei Yang,et al.  TVA: A DoS-Limiting Network Architecture , 2008, IEEE/ACM Transactions on Networking.

[3]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[4]  José Meseguer,et al.  Probabilistic Modeling and Analysis of DoS Protection for the ASV Protocol , 2009, Electron. Notes Theor. Comput. Sci..

[5]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[6]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[7]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[8]  C.C. Zou,et al.  Adaptive Defense Against Various Network Attacks , 2005, IEEE Journal on Selected Areas in Communications.

[9]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[10]  Michael Walfish,et al.  DDoS defense by offense , 2006, TOCS.

[11]  Mudhakar Srivatsa,et al.  A Middleware System for Protecting Against Application Level Denial of Service Attacks , 2006, Middleware.

[12]  Sanjeev Khanna,et al.  DoS Protection for Reliably Authenticated Broadcast , 2004, NDSS.

[13]  Donald E. Eastlake,et al.  Domain Name System Security Extensions , 1997, RFC.

[14]  Mervin E. Muller,et al.  Development of Sampling Plans by Using Sequential (Item by Item) Selection Techniques and Digital Computers , 1962 .

[15]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[16]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[17]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[18]  Rajesh Krishnan,et al.  Mitigating distributed denial of service attacks with dynamic resource pricing , 2001, Seventeenth Annual Computer Security Applications Conference.

[19]  C.A. Gunter,et al.  Mitigating DoS attack through selective bin verification , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[20]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[21]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.