More Web Proxy on the site http://driver.im/

Article

Free access

SOS: secure overlay services

Authors:

Angelos D. Keromytis,

Dan RubensteinAuthors Info & Claims

SIGCOMM '02: Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications

Pages 61 - 72

https://doi.org/10.1145/633025.633032

Published: 19 August 2002 Publication History

Abstract

Denial of service (DoS) attacks continue to threaten the reliability of networking systems. Previous approaches for protecting networks from DoS attacks are reactive in that they wait for an attack to be launched before taking appropriate measures to protect the network. This leaves the door open for other attacks that use more sophisticated methods to mask their traffic.We propose an architecture called Secure Overlay Services (SOS) that proactively prevents DoS attacks, geared toward supporting Emergency Services or similar types of communication. The architecture is constructed using a combination of secure overlay tunneling, routing via consistent hashing, and filtering. We reduce the probability of successful attacks by (i) performing intensive filtering near protected network edges, pushing the attack point perimeter into the core of the network, where high-speed routers can handle the volume of attack traffic, and (ii) introducing randomness and anonymity into the architecture, making it difficult for an attacker to target nodes along the path to a specific SOS-protected destination.Using simple analytical models, we evaluate the likelihood that an attacker can successfully launch a DoS attack against an SOS-protected network. Our analysis demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels.

References

[1]

D. Andersen, H. Balakrishnan, F. Kaashoek, and R. Morris. Resilient Overlay Networks. In Proceedings of the 18th Symposium on Operating Systems Principles (SOSP), October 2001.

Digital Library

[2]

S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss. An Architecture for Differentiated Services. Technical report, IETF RFC 2475, December 1998.

Digital Library

[3]

M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D. Keromytis. The KeyNote Trust Management System Version 2. Internet RFC 2704, September 1999.

Digital Library

[4]

M. Blaze, J. Ioannidis, and A. Keromytis. Trust Managent for IPsec. In Proceedings of Network and Distributed System Security Symposium (NDSS), pages 139--151, February 2001.

[5]

D. D. Clark. The Design Philosophy of the DARPA Internet Protocols. In Proceedings of ACM SIGCOMM, pages 106--114, 1988.

Digital Library

[6]

F. Dabek, M. F. Kaashoek, R. Morris, D. Karger, and I. Stoica. Wide-Area Cooperative Storage with CFS. In Proceedings of ACM SOSP, 2001.

Digital Library

[7]

D. Dean, M. Franklin, and A. Stubblefield. An Algebraic Approach to IP Traceback. In Proceedings of the Network and Dsitributed System Security Symposium (NDSS), pages 3--12, February 2001.

[8]

D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina. Generic routing encapsulation (GRE). Request for Comments 2784, Internet Engineering Task Force, Mar. 2000.

Digital Library

[9]

D. Harkins and D. Carrel. The Internet Key Exchange (IKE). Request for Comments (Proposed Standard) 2409, Internet Engineering Task Force, Nov. 1998.

Digital Library

[10]

L. Heberlein and M. Bishop. Attack Class: Address Spoofing. In Proceedings of the 19th National Information Systems Security Conference, pages 371--377, October 1996.

[11]

J. Ioannidis. Protocols for Mobile Networking. PhD thesis, Columbia University, New York, 1993.

Digital Library

[12]

J. Ioannidis and S. M. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2002.

[13]

S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith. Implementing a Distributed Firewall. In Proceedings of Computer and Communications Security (CCS), pages 190--199, November 2000.

Digital Library

[14]

D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, and D. Lewin. Consistent Hashing and Random Trees: Distributed Caching Protocols for Relievig Hot Spots on the World Wide Web. In Proceedings of ACM Symposium on Theory of Computing (STOC), pages 654--663, May 1997.

Digital Library

[15]

S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. Request for Comments (Proposed Standard) 2401, Internet Engineering Task Force, Nov. 1998.

Digital Library

[16]

A. D. Keromytis. STRONGMAN: A Scalable Solution To Trust Management In Networks. PhD thesis, University of Pennsylvania, Philadelphia, 2001.

Digital Library

[17]

L. Kleinrock. Queueing Systems, Volume I: Theory. Wiley-Interscience, 1975.

Digital Library

[18]

D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22, August 2001.

Digital Library

[19]

C. Perkins. IP encapsulation within IP. Request for Comments 2003, Internet Engineering Task Force, Oct. 1996.

Digital Library

[20]

M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Anonymous connections and onion routing. IEEE Journal on Special Areas in Communications, 16(4):482--494, 1998.

Digital Library

[21]

K. W. Ross. Multiservice Loss Models for Broadband Telecommunication Networks. Springer-Verlag, 1995.

Digital Library

[22]

J. H. Saltzer, D. P. Reed, and D. D. Clark. End-to-end arguments in System Design. ACM Transactions on Computer Systems, 2(4):277--288, November 1984.

Digital Library

[23]

S. Savage, N. Cardwell, D. Wetherall, and T. Anderson. TCP Congestion Control with a Misbehaving Receiver. ACM Computer Communications Review, 29(5):71--78, October 1999.

Digital Library

[24]

S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Network Support for IP Traceback. ACM/IEEE Transactions on Networking, 9(3):226--237, June 2001.

Digital Library

[25]

C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, and D. Zamboni. Analysis of a Denial of Service Attack on TCP. In Proceedings of IEEE Security and Privacy, pages 208--223, May 1997.

Digital Library

[26]

I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service for Internet Applications. In Proceedings of ACM SIGCOMM, 2001.

Digital Library

Cited By

Zhang MLi GKong XLiu CXu MGu GWu J(2023)NetHCF: Filtering Spoofed IP Traffic With Programmable SwitchesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316101520:2(1641-1655)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3161015
Pouryousef SPanigrahy NTowsley D(2023)A Quantum Overlay Network for Efficient Entanglement DistributionIEEE INFOCOM 2023 - IEEE Conference on Computer Communications10.1109/INFOCOM53939.2023.10228944(1-10)Online publication date: 17-May-2023
https://doi.org/10.1109/INFOCOM53939.2023.10228944
Zhao ZLi ZZhou ZYu JSong ZXie XZhang FZhang R(2023)DDoS Family: A Novel Perspective for Massive Types of DDoS AttacksComputers & Security10.1016/j.cose.2023.103663(103663)Online publication date: Dec-2023
https://doi.org/10.1016/j.cose.2023.103663
Show More Cited By

Index Terms

SOS: secure overlay services
1. Networks
  1. Network properties
    1. Network structure

Recommendations

SOS: secure overlay services
Proceedings of the 2002 SIGCOMM conference

Denial of service (DoS) attacks continue to threaten the reliability of networking systems. Previous approaches for protecting networks from DoS attacks are reactive in that they wait for an attack to be launched before taking appropriate measures to ...
capsAEUL: Slow HTTP DoS Attack Detection using Autoencoders through Unsupervised Learning
AINTEC '21: Proceedings of the 16th Asian Internet Engineering Conference

Slow HTTP Denial of Service (DoS) attacks are defined as application layer vulnerabilities that make HTTP services degrade their performance or reach a denial state. The Slow HTTP DoS attacks can evade the generic DoS attack detection techniques ...
Agent‐based ARP cache poisoning detection in switched LAN environments

Address resolution protocol (ARP) cache poisoning is mostly used to perform man‐in‐the‐middle (MITM) and denial of service (DoS) attacks for sniffing and network services disruption, respectively, in switch LAN networks. The former attack affects the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '02: Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications

August 2002

368 pages

ISBN:158113570X

DOI:10.1145/633025

Conference Chairs:
Matt Mathis
Pittsburgh Supercomputing Center
,
Peter Steenkiste
Carnegie Mellon University
,
Program Chairs:
Hari Balakrishnan
Massachusetts Institute of Technology
,
Vern Paxson
ICIR

ACM SIGCOMM Computer Communication Review Volume 32, Issue 4
Proceedings of the 2002 SIGCOMM conference
October 2002
332 pages
ISSN:0146-4833
DOI:10.1145/964725
Issue’s Table of Contents

Copyright © 2002 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 August 2002

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SIGCOMM02

Sponsor:

SIGCOMM02: SIGCOMM 2002 Conference

August 19 - 23, 2002

Pennsylvania, Pittsburgh, USA

Acceptance Rates

SIGCOMM '02 Paper Acceptance Rate 25 of 300 submissions, 8%;

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

363
Total Citations
View Citations
2,249
Total Downloads

Downloads (Last 12 months)122
Downloads (Last 6 weeks)15

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang MLi GKong XLiu CXu MGu GWu J(2023)NetHCF: Filtering Spoofed IP Traffic With Programmable SwitchesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316101520:2(1641-1655)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3161015
Pouryousef SPanigrahy NTowsley D(2023)A Quantum Overlay Network for Efficient Entanglement DistributionIEEE INFOCOM 2023 - IEEE Conference on Computer Communications10.1109/INFOCOM53939.2023.10228944(1-10)Online publication date: 17-May-2023
https://doi.org/10.1109/INFOCOM53939.2023.10228944
Zhao ZLi ZZhou ZYu JSong ZXie XZhang FZhang R(2023)DDoS Family: A Novel Perspective for Massive Types of DDoS AttacksComputers & Security10.1016/j.cose.2023.103663(103663)Online publication date: Dec-2023
https://doi.org/10.1016/j.cose.2023.103663
Gaylah KVaghela R(2023)Mitigation and Prevention Methods for Distributed Denial-of-Service Attacks on Network ServersAdvancements in Smart Computing and Information Security10.1007/978-3-031-23095-0_5(70-82)Online publication date: 11-Jan-2023
https://doi.org/10.1007/978-3-031-23095-0_5
Ganesarathinam RSingaravelu MPadma Pooja K(2022)A Detailed Review on Security Issues in Layered Architectures and Distributed Denial Service of Attacks Over IoT EnvironmentCyber‐Physical Systems10.1002/9781119836636.ch5(85-122)Online publication date: 27-Jul-2022
https://doi.org/10.1002/9781119836636.ch5
Zheng SYang XDelimitrou CPorts D(2019)DynashieldProceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing10.5555/3357034.3357039(4-4)Online publication date: 8-Jul-2019
https://dl.acm.org/doi/10.5555/3357034.3357039
Liu ZCao YZhu MGe W(2019)Umbrella: Enabling ISPs to Offer Readily Deployable and Privacy-Preserving DDoS Prevention ServicesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.287082814:4(1098-1108)Online publication date: Apr-2019
https://doi.org/10.1109/TIFS.2018.2870828
Chaturvedi SSimmhan Y(2019)Toward Resilient Stream Processing on Clouds using Moving Target Defense2019 IEEE 22nd International Symposium on Real-Time Distributed Computing (ISORC)10.1109/ISORC.2019.00035(134-142)Online publication date: May-2019
https://doi.org/10.1109/ISORC.2019.00035
Al-Begain KZak MAlosaimi WTuryagyenda C(2018)Security of the CloudCyber Security and Threats10.4018/978-1-5225-5634-3.ch075(1511-1554)Online publication date: 2018
https://doi.org/10.4018/978-1-5225-5634-3.ch075
Cao YGao YTan RHan QLiu Z(2018)Understanding Internet DDoS Mitigation from Academic and Industrial PerspectivesIEEE Access10.1109/ACCESS.2018.28777106(66641-66648)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2877710
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents