More Web Proxy on the site http://driver.im/

article

WebSOS: an overlay-based system for protecting web servers from denial of service attacks

Authors:

Angelos Stavrou,

William G. Morein,

Angelos D. Keromytis,

Dan RubensteinAuthors Info & Claims

Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 48, Issue 5

Pages 781 - 807

Published: 05 August 2005 Publication History

Abstract

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-centric interface, and the extensibility inherent in many browsers through downloadable ''applets.'' We guarantee access to a web server for a large number of previously unknown users, without requiring pre-existing trust relationships between users and the system, by using reverse Graphic Turing Tests. Furthermore, our system makes it easy for service providers to charge users, providing incentives to a commercial offering of the service. Users can dynamically decide whether to use the WebSOS overlay, based on the prevailing network conditions. Our prototype requires no modifications to either servers or browsers, and makes use of Graphical Turing Tests, web proxies, and client authentication using the SSL/TLS protocol, all readily supported by modern browsers. We then extend this system with a credential-based micropayment scheme that combines access control and payment authorization in one operation. Turing tests ensure that malicious code, such as a worm, cannot abuse a user's micropayment wallet. We use the WebSOS prototype to conduct a performance evaluation over the Internet using PlanetLab, a testbed for experimentation with network overlays. We determine the end-to-end latency using both a chord-based approach and our shortcut extension. Our evaluation shows the latency increase by a factor of 7 and 2 respectively, confirming our simulation results.

References

[1]

J. Ioannidis, S.M. Bellovin, Implementing pushback: router-based defense against DDoS attacks, in: Proceedings of the Network and Distributed System Security Symposium (NDSS), 2002

[2]

D. Dean, M. Franklin, A. Stubblefield, An algebraic approach to IP traceback, in: Proceedings of the Network and Distributed System Security Symposium (NDSS), 2001, p. 312

[3]

Savage, S., Wetherall, D., Karlin, A. and Anderson, T., Network support for IP traceback. ACM/IEEE Transactions on Networking. v9 i3. 226-237.

Digital Library

[4]

A.D. Keromytis, V. Misra, D. Rubenstein, SOS: secure overlay services, in: Proceedings of ACM SIGCOMM, 2002, pp. 61-72

Digital Library

[5]

M.C. Benvenuto, A.D. Keromytis, EasyVPN: IPsec remote access made easy, in: Proceedings of the 17th USENIX Systems Administration Conference (LISA), 2003, pp. 87-93

Digital Library

[6]

S. Dietrich, N. Long, D. Dittrich, Analyzing distributed denial of service tools: the shaft case, in: Proceedings of USENIX LISA XIV, 2000

Digital Library

[7]

J. Ioannidis, S. Ioannidis, A.D. Keromytis, V. Prevelakis, Fileteller: paying and getting paid for file storage, in: Proceeding of Financial Cryptography (FC) Conference, 2002, pp. 282-299

Digital Library

[8]

L. Peterson, D. Culler, T. Anderson, T. Roscoe, A blueprint for introducing disruptive technology into the Internet, in: Proceedings of the 1st Workshop on Hot Topics in Networks (HotNets-I), 2002. URL available from: <citeseer.nj.nec.com/peterson02blueprint.html>

[9]

S.A. Crosby, D.S. Wallach, Denial of service via algorithmic complexity attacks, in: Proceedings of the 12th USENIX Security Symposium, 2003, pp. 29-44

Digital Library

[10]

A.D. Keromytis, J. Parekh, P.N. Gross, G. Kaiser, V. Misra, J. Nieh, D. Rubenstein, S. Stolfo, A holistic approach to service survivability, in: Proceedings of the ACM Survivable and Self-Regenerative Systems Workshop, 2003, pp. 11-22

Digital Library

[11]

S. Kent, R. Atkinson, Security architecture for the Internet protocol, RFC 2401, IETF, November 1998. URL available from: <ftp://ftp.isi.edu/in-notes/rfc2401.txt>

[12]

CCITT, X.509: The Directory Authentication Framework, International Telecommunications Union, Geneva, 1989

[13]

S.M. Bellovin, Distributed firewalls, ;login: magazine, special issue on security, 1999, pp. 37-39

[14]

S. Ioannidis, A. Keromytis, S. Bellovin, J. Smith, Implementing a distributed firewall, in: Proceedings of Computer and Communications Security (CCS), 2000, pp. 190-199

Digital Library

[15]

I. Stoica, R. Morris, D. Karger, F. Kaashoek, H. Balakrishnan, Chord: a scalable peer-to-peer lookup service for Internet application, in: Proceedings of ACM SIGCOMM, 2001

Digital Library

[16]

D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, D. Lewin, Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the World Wide Web, in: Proceedings of ACM Symposium on Theory of Computing (STOC), 1997, pp. 654-663. URL available from: <citeseer.nj.nec.com/karger97consistent.html>

Digital Library

[17]

L. von Ahn, M. Blum, N.J. Hopper, J. Langford, CAPTCHA: using hard AI problems for security, in: Proceedings of EUROCRYPT, 2003

Digital Library

[18]

G. Mori, J. Malik, Recognizing objects in adversarial clutter: breaking a visual CAPTCHA, in: Computer Vision and Pattern Recognition CVPR'03, 2003

Digital Library

[19]

M. Blaze, J. Ioannidis, S. Ioannidis, A.D. Keromytis, P. Nikander, V. Prevelakis, TAPI: transactions for accessing public infrastructure, in: Proceedings of the 8th IFIP Personal Wireless Communications (PWC) Conference, 2003, pp. 90-10

[20]

M. Blaze, J. Feigenbaum, J. Ioannidis, A.D. Keromytis, The KeyNote Trust Management System Version 2, RFC 2704, September 1999

[21]

D. Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina, Generic routing encapsulation (GRE), RFC 2784, IETF, March 2000. URL available from: <http://www.rfc-editor.org/rfc/rfc2784.txt>

[22]

G. Dommety, Key and sequence number extensions to GRE, RFC 2890, IETF, September 2000. URL available from: <http://www.rfc-editor.org/rfc/rfc2890.txt>

[23]

L. Amini, H. Schulzrinne, A. Lazar, Observations from router-level Internet traces, in: DIMACSWorkshop on Internet and WWW Measurement, Mapping and Modeling, 2002

[24]

D. Moore, G. Voelker, S. Savage, Inferring Internet denial-of-service activity, in: Proceedings of the 10th USENIX Security Symposium, 2001, pp. 9-22

Digital Library

[25]

J.V.L. Blunk, PPP extensible authentication protocol (EAP), RFC 2284, IETF, March 1998. URL available from: <http://www.ietf.org/rfc/rfc2284.txt>

[26]

IEEE Draft P802.1X/D11: Standard for Port based Network Access Control, March 2001

[27]

P. Nikander, Authorization and charging in public lawns using freebased and 802.1x, in: Proceedings of the Annual USENIX Technical Conference, Freenix Track, 2002

Digital Library

[28]

N. Haller, C. Metz, P. Nesser, M. Straw, A one-time password system, RFC 2289, IETF, February 1998. URL available from: <http://www.ietf.org/rfc/rfc2289.txt>

[29]

D. Cook, Analysis of Routing Algorithms for Secure Overlay Service, Computer Science Department Technical Report CUCS-010-02, Columbia University, April 2002. URL available from: <http://www.cs.columbia.edu/~library/TR-repository/reports/reports-2002/cucs-010-02.pdf>

[30]

S. Ratnasamy, P. Francis, M. Handley, R. Karp, S. Shenker, A scalable content-addressable network, in: Proceedings of ACM SIGCOMM, 2001

Digital Library

[31]

A. Cohen, S. Rangarajan, J.H. Slye, On the performance of TCP splicing for URLAware redirection, in: USENIX Symposium on Internet Technologies and Systems, 1999. URL available from: <citeseer.nj.nec.com/cohen99performance.html>

Digital Library

[32]

S. Miltchev, S. Ioannidis, A.D. Keromytis, A study of the relative costs of network security protocols, in: Proceedings of USENIX Annual Technical Conference, Freenix Track), 2002, pp. 41-48

Digital Library

[33]

A.D. Keromytis, J.L. Wright, T. de Raadt, The design of the OpenBSD cryptographic framework, in: Proceedings of the USENIX Annual Technical Conference, 2003, pp. 181-196

[34]

C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, Analysis of a denial of service attack on TCP, in: IEEE Security and Privacy Conference, 1997, pp. 208-223

Digital Library

[35]

L. Heberlein, M. Bishop, Attack class: address spoofing, in: Proceedings of the 19th National Information Systems Security Conference, 1996, pp. 371-377

[36]

Savage, S., Cardwell, N., Wetherall, D. and Anderson, T., TCP congestion control with a misbehaving receiver. ACM Computer Communications Review. v29 i5. 71-78.

Digital Library

[37]

S. Savage, D. Wetherall, A. Karlin, T. Anderson, Practical network support for IP traceback, in: Proceedings of the 2000 ACM SIGCOMM Conference, 2000, pp. 295-306

Digital Library

[38]

M.T. Goodrich, Efficient packet marking for large-scale IP traceback, in: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), 2002, pp. 117-126

Digital Library

[39]

A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, W. Strayer, Hash-based IP traceback, in: Proceedings of ACM SIGCOMM, 2001

Digital Library

[40]

R. Stone, CenterTrack: an IP overlay network for tracking DoS floods, in: Proceedings of the USENIX Security Symposium, 2000

Digital Library

[41]

J. Li, M. Sung, J. Xu, L. Li, large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation, in: Proceedings of the IEEE Symposium on Security and Privacy, 2004

[42]

P. Reiher, J. Mirkovic, G. Prier, Attacking DDoS at the source, in: Proceedings of the 10th IEEE International Conference on Network Protocols, 2002

Digital Library

[43]

C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, R. Govindan, COSSACK: coordinated suppression of simultaneous attacks, in: Proceedings of DISCEX III, 2003, pp. 2-13

[44]

C. Jin, H. Wang, K.G. Shin, Hop-count filtering: an effective defense against spoofed dos traffic, in: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), 2003, pp. 30-41

Digital Library

[45]

A. Hussain, J. Heidemann, C. Papadopoulos, A framework for classifying denial of service attacks, in: Proceedings of ACM SIGCOMM, 2003, pp. 99-110

Digital Library

[46]

A. Yaar, A. Perrig, D. Song, Pi: a path identification mechanism to defend against DDoS attacks, in: Proceedings of the IEEE Symposium on Security and Privacy, 2003

Digital Library

[47]

M. Collins, M. Reiter, An empirical analysis of target-resident DoS filters, in: Proceedings of the IEEE Symposium on Security and Privacy, 2004

[48]

K. Park, H. Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets, in: Proceedings of ACM SIGCOMM, 2001, pp. 15-26

Digital Library

[49]

F. Kargl, J. Maier, M. Weber, Protecting web servers from distributed denial of service attacks, in: World Wide Web, 2001, pp. 514-524. URL available from: <citeseer.nj.nec.com/444367.html>

Digital Library

[50]

Stavrou, A., Rubenstein, D. and Sahu, S., A lightweight robust P2P system to handle flash crowds. IEEE Journal on Selected Areas in Communications (JSAC. v22 i1. 6-17.

Digital Library

[51]

D.L. Cook, W.G. Morein, A.D. Keromytis, V. Misra, D. Rubenstein, WebSOS: protecting web servers from DDoS attacks, in: Proceedings of the 11th IEEE International Conference on Networks (ICON), 2003, pp. 455-460

[52]

W.G. Morein, A. Stavrou, D.L. Cook, A.D. Keromytis, V. Misra, D. Rubenstein, Using graphic turing tests to counter automated DDoS attacks against web servers, in: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), 2003, pp. 8-19

Digital Library

[53]

D.G. Andersen, Mayday: distributed filtering for Internet services, in: 4th USENIX Symposium on Internet Technologies and Systems USITS, 2003

Digital Library

[54]

V.D. Gligor, Guaranteeing access in spite of distributed service-flooding attacks, in: Proceedings of the Security Protocols Workshop, 2003

Digital Library

[55]

T. Anderson, T. Roscoe, D. Wetherall, Preventing internet denial-of-service with capabilities, in: Proceedings of the 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003

[56]

K. Lakshminarayanan, D. Adkins, A. Perrig, I. Stoica, Taming IP packet flooding attacks, in: Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), 2003

[57]

R. Thomas, B. Mark, T. Johnson, J. Croall, NetBouncer: client-legitimacy-based high-performance DDoS filtering, in: Proceedings of DISCEX III, 2003, pp. 14-25

[58]

A. Yaar, A. Perrig, D. Song, An endhost capability mechanism to mitigate DDoS flooding attacks, in: Proceedings of the IEEE Security and Privacy Symposium, 2004

[59]

W.J. Blackert, D.M. Gregg, A.K. Castner, E.M. Kyle, R.L. Hom, R.M. Jokerst, Analyzing interaction between distributed denial of service attacks and mitigation technologies, in: Proceedings of DISCEX III, 2003, pp. 26-36

[60]

D. Dean, A. Stubblefield, Using client puzzles to protect TLS, in: Proceedings of the 10th USENIX Security Symposium, 2001

Digital Library

[61]

X. Wang, M.K. Reiter, Defending against denial-of-service attacks with puzzle auctions (extended abstract), in: Proceedings of the IEEE Symposium on Security and Privacy, 2003

Digital Library

[62]

M. Blaze, J. Ioannidis, A.D. Keromytis, Offline micropayments without trusted hardware, in: Proceedings of the Fifth International Conference on Financial Cryptography, 2001, pp. 21-40

Digital Library

[63]

Chaum, D., Achieving electronic privacy. Scientific American. 96-101.

[64]

D. Chaum, Blind signatures for untraceable payments, in: Advances in Cryptology: Crypto'82 Proceedings, Plenum Press, 1982

[65]

G. Medvinsky, C. Neuman, NetCash: a design for practical electronic currency on the internet, in: Proceedings of the Second ACM Conference on Computer and Communication Security, 1994

Digital Library

[66]

M. Bellare, J. Garay, C. Jutla, M. Yung, VarietyCash: a multi-purpose electronic payment system, in: Proceedings of the Third USENIX Workshop on Electronic Commerce, USENIX, 1998

Digital Library

[67]

T. Poutanen, H. Hinton, M. Stumm, NetCents: a lightweight protocol for secure micropayments, in: Proceedings of the Third USENIX Workshop on Electronic Commerce, USENIX, 1998

Digital Library

[68]

M.S. Manasse, The Millicent protocols for electronic commerce, in: Proceedings of the First USENIX Workshop on Electronic Commerce, USENIX, 1995

Digital Library

[69]

L. Tang, a set of protocols for micropayments in distributed systems, in: Proceedings of the First USENIX Workshop on Electronic Commerce, USENIX, 1995

Digital Library

[70]

C. Jutla, M. Yung, Paytree: amortized signature for flexible micropayments, in: Proceedings of the Second USENIX Workshop on Electronic Commerce, USENIX, 1996

[71]

Rivest, R. and Shamir, A., PayWord and MicroMint. CryptoBytes. v2 i1. 7-11.

[72]

R. Hauser, M. Steiner, M. Waidner, Micro-payments based on ikp, in: Proceedings of the 14th Worldwide Congress on Computer and Communication Security Protection, 1996

[73]

A. Herzberg, Safeguarding Digital Library Contents, D-Lib Magazine

[74]

C. Neuman, G. Medvinsky, Requirements for network payment: The Netcheque prospective, in: Proceedings of IEEE COMCON, 1995

Digital Library

[75]

M. Bellare, J. Garay, A. Herzberg, H. Krawczyk, M. Steiner, G. Tsudik, M. Waidner, iKP-A family of secure electronic payment protocols, in: Proceedings of the First USENIX Workshop on Electronic Commerce, USENIX, 1995

Digital Library

[76]

Foo, E. and Boyd, C., A payment scheme using vouchers. In: Lecture Notes in Computer Science, vol. 1465. Springer-Verlag. pp. 103-121.

Digital Library

[77]

B. Cox, D. Tygar, M. Sirbu, NetBill security and transaction protocol, in: Proceedings of the First USENIX Workshop on Electronic commerce, USENIX, 1995

Digital Library

Cited By

Al-Qudah ZAl-Duwairi BAl-Khaleel O(2014)DDoS protection as a serviceInternational Journal of Computational Science and Engineering10.1504/IJCSE.2014.0607119:4(292-300)Online publication date: 1-Apr-2014
https://dl.acm.org/doi/10.1504/IJCSE.2014.060711
Doron EWool A(2011)WDAComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2010.05.00155:5(1037-1051)Online publication date: 1-Apr-2011
https://dl.acm.org/doi/10.1016/j.comnet.2010.05.001
Geneiatakis DPortokalidis GKeromytis A(2011)A multilayer overlay network architecture for enhancing IP services availability against dosProceedings of the 7th international conference on Information Systems Security10.1007/978-3-642-25560-1_22(322-336)Online publication date: 15-Dec-2011
https://dl.acm.org/doi/10.1007/978-3-642-25560-1_22
Show More Cited By

Index Terms

WebSOS: an overlay-based system for protecting web servers from denial of service attacks

Recommendations

Using graphic turing tests to counter automated DDoS attacks against web servers
CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-...
X-BOT: A Protocol for Resilient Optimization of Unstructured Overlay Networks

Gossip, or epidemic, protocols have emerged as a highly scalable and resilient approach to implement several application level services such as reliable multicast, data aggregation, publish-subscribe, among others. All these protocols organize nodes in ...
A framework for mitigating attacks against measurement-based adaptation mechanisms in unstructured multicast overlay networks

Many multicast overlay networks maintain application-specific performance goals by dynamically adapting the overlay structure when the monitored performance becomes inadequate. This adaptation results in an unstructured overlay where no neighbor ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computer Networks: The International Journal of Computer and Telecommunications Networking

Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 48, Issue 5

Web security

5 August 2005

128 pages

ISSN:1389-1286

Issue’s Table of Contents

Copyright © Elsevier B.V. © 2005.

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 05 August 2005

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Al-Qudah ZAl-Duwairi BAl-Khaleel O(2014)DDoS protection as a serviceInternational Journal of Computational Science and Engineering10.1504/IJCSE.2014.0607119:4(292-300)Online publication date: 1-Apr-2014
https://dl.acm.org/doi/10.1504/IJCSE.2014.060711
Doron EWool A(2011)WDAComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2010.05.00155:5(1037-1051)Online publication date: 1-Apr-2011
https://dl.acm.org/doi/10.1016/j.comnet.2010.05.001
Geneiatakis DPortokalidis GKeromytis A(2011)A multilayer overlay network architecture for enhancing IP services availability against dosProceedings of the 7th international conference on Information Systems Security10.1007/978-3-642-25560-1_22(322-336)Online publication date: 15-Dec-2011
https://dl.acm.org/doi/10.1007/978-3-642-25560-1_22
Kurian JSarac K(2010)A survey on the design, applications, and enhancements of application-layer overlay networksACM Computing Surveys10.1145/1824795.182480043:1(1-34)Online publication date: 3-Dec-2010
https://dl.acm.org/doi/10.1145/1824795.1824800
Fadlullah ZTaleb TVasilakos AGuizani MKato N(2010)DTRABIEEE/ACM Transactions on Networking10.1109/TNET.2009.203949218:4(1234-1247)Online publication date: 1-Aug-2010
https://dl.acm.org/doi/10.1109/TNET.2009.2039492
Traynor PLin MOngtang MRao VJaeger TMcDaniel PLa Porta TAl-Shaer EJha SKeromytis A(2009)On cellular botnetsProceedings of the 16th ACM conference on Computer and communications security10.1145/1653662.1653690(223-234)Online publication date: 9-Nov-2009
https://dl.acm.org/doi/10.1145/1653662.1653690
Khor SChristin NWong TNakao A(2007)Power to the peopleProceedings of the 2007 workshop on Large scale attack defense10.1145/1352664.1352666(89-96)Online publication date: 27-Aug-2007
https://dl.acm.org/doi/10.1145/1352664.1352666

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents