DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks

Countering distributed denial of service (DDoS) attacks is becoming ever more challenging with the vast resources and techniques increasingly available to attackers. In this paper, we consider sophisticated attacks that are protocol-compliant, non-intrusive, and utilize legitimate application-layer requests to overwhelm system resources. We characterize application-layer resource attacks as either request flooding, asymmetric, or repeated one-shot, on the basis of the application workload parameters that they exploit. To protect servers from these attacks, we propose a counter-mechanism namely DDoS Shield that consists of a suspicion assignment mechanism and a DDoS-resilient scheduler. In contrast to prior work, our suspicion mechanism assigns a continuous value as opposed to a binary measure to each client session, and the scheduler utilizes these values to determine if and when to schedule a session's requests. Using testbed experiments on a web application, we demonstrate the potency of these resource attacks and evaluate the efficacy of our counter-mechanism. For instance, we mount an asymmetric attack which overwhelms the server resources, increasing the response time of legitimate clients from 0.3 seconds to 40 seconds. Under the same attack scenario, DDoS Shield improves the victims' performance to 1.5 seconds.

[1]  Michael Walfish,et al.  DDoS defense by offense , 2006, TOCS.

[2]  Supranamaya Ranjan,et al.  DDoS-Resilient Scheduling to Counter Application Layer Attacks Under Imperfect Detection , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[3]  John S. Heidemann,et al.  Identification of Repeated Denial of Service Attacks , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[4]  Zhi-Li Zhang,et al.  Profiling internet backbone traffic: behavior models and applications , 2005, SIGCOMM '05.

[5]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[6]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[7]  K. Argyraki,et al.  Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks , 2003, USENIX Annual Technical Conference, General Track.

[8]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[9]  Mooi Choo Chuah,et al.  Packetscore: statistics-based overload control against distributed denial-of-service attacks , 2004, IEEE INFOCOM 2004.

[10]  Supranamaya Ranjan,et al.  Wide area redirection of dynamic content by Internet data centers , 2004, IEEE INFOCOM 2004.

[11]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[12]  Jitendra Malik,et al.  Recognizing objects in adversarial clutter: breaking a visual CAPTCHA , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[13]  Alan L. Cox,et al.  Conflict-Aware Scheduling for Dynamic Content Applications , 2003, USENIX Symposium on Internet Technologies and Systems.

[14]  S. Ranjan,et al.  QoS-driven server migration for Internet data centers , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[15]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[16]  Michael Weber,et al.  Protecting web servers from distributed denial of service attacks , 2001, WWW '01.

[17]  A. L. Narasimha Reddy,et al.  Mitigating Denial of Service Attacks Using QoS Regulation , 2001 .

[18]  Willy Zwaenepoel,et al.  Scalable Content-aware Request Distribution in Cluster-based Network Servers , 2000, USENIX Annual Technical Conference, General Track.

[19]  Allan Kuchinsky,et al.  Integrating user-perceived quality into Web server design , 2000, Comput. Networks.

[20]  Patrick Lincoln,et al.  TCP SYN Flooding Defense , 1999 .

[21]  Imre Csisźar,et al.  The Method of Types , 1998, IEEE Trans. Inf. Theory.

[22]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[23]  André Hardy,et al.  An examination of procedures for determining the number of clusters in a data set , 1994 .

[24]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[25]  T. Caliński,et al.  A dendrite method for cluster analysis , 1974 .

[26]  J. Andel Sequential Analysis , 2022, The SAGE Encyclopedia of Research Design.

[27]  O. F. Cook The Method of Types , 1898 .