A Survey on Solutions to Distributed Denial
of Service Attacks
Shibiao Lin Tzi-cker Chiueh
Department of Computer Science
Stony Brook University, Stony Brook, NY-11794
Contents
1
Introduction
2
2
Overview of DDoS Attacks
2.1 Agent Recruitment . . . .
2.2 Zombie Compromise . . .
2.3 Communication Channels .
2.4 Attack Strategies . . . . .
2.5 DDoS Attack Trends . . .
4
5
7
7
8
9
3
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Taxonomies of DDoS Defense Mechanisms
3.1 Survival Mechanisms . . . . . . . . . .
3.2 Reactive Mechanisms . . . . . . . . . .
3.2.1 Spoofing-based . . . . . . . . .
3.2.2 Non-spoofing-based . . . . . .
3.3 DDoS Attack Solution Considerations .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
. 11
. 11
. 11
. 14
. 30
4
Proposed Solution
33
5
Conclusion
35
1
Abstract
Distributed Denial of Service (DDoS) attack is a large-scale, coordinated attack on the availability of services of a victim system or network
resource, launched indirectly through many compromised computers on the
Internet. Researchers have come up with more and more specific solutions
to the DDoS problem. However, existing DDoS attack tools keep being
improved and new attack techniques are developed. It is desirable to construct comprehensive DDoS solutions to current and future DDoS attack
variants rather than to react with specific countermeasures. In order to assist
in this, we conduct a thorough survey on the problem of DDoS. We propose
taxonomies of the known and potential DDoS attack techniques and tools.
Along with this, we discuss the issues and defend challenges in fighting with
these attacks. Based on the new understanding of the problem, we propose
classes of solutions to detect, survive and react to the DDoS attacks.
1
Introduction
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile
web servers, the attack aiming to cause the hosted web pages to be unavailable
on the Internet. Denial of service attack programs, root kits, and network sniffers
have been around for a very long time. Yet this point-to-point denial of service attacks can be countered by improved tracking capabilities to shut down the source
of the problem. However, with the growth of the Internet, the increasingly large
number of vulnerable systems are available to the attackers. Rather than relying
on a single server, attackers could now take advantage of some hundred, thousand, even tens of thousands or more victim machines to launch the distributed
version of the DoS attack. A distributed denial of service attack (DDoS attack) is
a large-scale, coordinated attack on the availability of services of a victim system
or network resource, launched indirectly through many compromised computers
on the Internet [1].
DDoS attacks can seriously impair the Internet service. The first DDoS attack
was seen in late June and early July of 1999. The first well-documented DDoS
attack appears to have occurred in August 1999, when a DDoS tool called Trinoo
(described below) was deployed in at least 227 systems, of which at least 114
were on Internet2, to flood a single University of Minnesota computer; this system
was knocked off the air for more than two days. The first well-publicized DDoS
2
attack in the public press was in February 2000. On February 7, Yahoo! was
the victim of a DDoS during which its Internet portal was inaccessible for three
hours. On February 8, Amazon, Buy.com, CNN, and eBay were all hit by DDoS
attacks that caused them to either stop functioning completely or slowed them
down significantly. Analysts estimated that during the three hours Yahoo was
down, it suffered a loss of e-commerce and advertising revenue that amounted
to about $500,000. According to book seller Amazon.com, its widely publicized
attack resulted in a loss of $600,000 during the 10 hours it was down. During the
DDoS attacks, Buy.com went from 100% availability to 9.4%, while CNN.com’s
users went down to below 5% of normal volume. The downtime loss was huge [2].
More recently on June 2004, the websites of Google, Yahoo and Microsoft
disappeared for hours when their servers were swamped with hundreds of thousands of simultaneous webpage requests that they could not possibly service [3].
These webpage requests are from botnet which consists of thousands of zombie
machines. Before the attack, the attacker tried to scan the Internet to find out the
vulnerable machines and plant the bot on those machine. Internet relay chat room
are used for communication between the attacker and those zombie machines. After the attacker issued the assault command in an Internet relay chat room, the botnet start to generate plenty of web requests which bring down the victim websites.
These kinds of botnets are fuelling a growing crime wave against e-commerce in
which they are increasingly being offered for hire by hacking groups.
Earlier in year 2006, VeriSign experienced attacks on its systems that were
larger than anything it had ever seen before [4]. The assaults weren’t coming
from commandeered “bot” computers, as is common. Instead, its machines were
under attack by DNS (domain name system) servers. In this new kind of attack,
an assailant would typically use a botnet to send a large number of queries to open
DNS servers. These queries will be “spoofed” to look like they come from the
target of the flooding, and the DNS server will reply to that network address. Using DNS servers to do their dirty work offers key benefits to attackers. It hides
their systems, making it harder for the victim to find the original source of the
attack. But more important, reflecting an attack through a DNS server also allows
the assault to be amplified, delivering a larger amount of malicious traffic to the
target. A single DNS query could trigger a response that is as much as 73 times
larger than the request. To protect the DNS servers from abuse and prevent this
kind of attack, DNS servers should be configure to only provide DNS services to
machines within a trusted domain. Restricting recursion and disabling the ability to send additional delegation information can help prevent DNS-based DDoS
attacks [5].
3
There have been a number of proposals and solutions to the DDoS attacks.
However there is still no comprehensive solution which can protect against all
known forms of DDoS attacks. This paper tries to analyze and classify the current
solutions to the DDoS attack. By examining the pros and cons of each solution,
we can know about the effectiveness of the solutions.
In Section 2, we describe the steps it takes to launch the DDoS attack and
examine the attack strategies. We also discuss the current trend in DDoS attack.
In Section 3, we propose classes of DDoS countermeasures and analyze the desirability of those solution. Then in Section 4, we discuss the future work based on
the analysis and comparison done in Section 3. Finally, We conclude the paper in
Section 5.
2
Overview of DDoS Attacks
A DDoS Attack uses many computers to launch a coordinate DoS attack against
one or more targets. Using client/server technology the penetrator is able to multiply the effectiveness of the DoS significantly by harnessing the resources of
multiple computers which serve as attack platforms. A typical DDoS attack is
composed of four elements:
1. The Real Attacker;
2. The Handlers or master compromised hosts, who are capable of controlling multiple agents or Internet Relay Chat (IRC) channels for attackers to
communicate with the zombie agents;
3. The Attack daemon agents or zombie hosts who are responsible for generating a stream of packets toward the victim;
4. The victim or the target host.
In the DDoS attack, attackers first choose the vulnerable agents which will be
used to perform the attack. Then attackers exploit the vulnerabilities of the agents
and plants the attack code in a way such that the malicious code can be protected
from discovery and deactivation. After the attackers have recruited enough machines, they use the communication channels, either by handlers or IRC service,
to command the onset of the attack. We will examine the strategies that attackers
take in those stages.
4
2.1
Agent Recruitment
V. Yegneswaran et al [6] aggregated and analyzed firewall logs from over 1600
networks and reported that about 3 million scans happened everyday and 20% to
60% of these scans are Web server vulnerability scans and are linked to worm
propagation attempts. Attackers use various kinds of scanning strategies to chose
addresses of potentially vulnerable machines to scan [7].
Random Scan
This scan strategy scans the entire IPv4 space. In the case where a worm has no
knowledge of where vulnerable hosts reside in the Internet, the simplest strategy
is to randomly scan the entire IP address space to find targets, which is what the
Code Red worm and the Slammer worm did [8] [9]. However, this scanning is
only effective in the IPv4 address space with dense IP addresses being used. While
in the vast, sparsely populated IPv6 address space, this strategy is not successful.
Hitlist Scan
Staniford et al. [10] introduce the hit-list worm, which has an IP address list of
some vulnerable hosts in the Internet. An attacker can use the public available
information from netscan.org and the Smurf Amplifier Registry (SAR) to compile the hitlist of all possibly vulnerable Internet machines. Then the machine
performing this kind of scanning probes all the addresses from this list. After it
has conquered another machine, part of the initial hitlist will be sent to the other
machine.
Route-based Scan
Zou et al. [11] introduce the route-based scan, which uses BGP routing prefixes to
reduce scanning space. Based on BGP routing table, they find that currently only
about 28.6% of IPv4 addresses are routable. Thus if BGP prefixes information is
used, the scanning space can be reduced by more than three times.
Divide-and-conquer Scan
In order to improve the scan efficiency, a divide-and-conquer approach can be used
to allow different infected hosts to scan and infect vulnerable hosts on different
5
parts of IP space so that no two infected hosts will waste their resources on single
target.
Local Preference Scan
Local preference scan targets at machines that reside on the same subnet as the
compromised host. One reason to use this strategy is that it will be of higher probability to reach a machine by scanning an IP address within the same Class B or
the same Class A subnetwork than a random IP address because the vulnerable
hosts in the Internet are not uniformly distributed [12]. On the other hand, attackers might experience difficulty to reach a network behind a firewall. However, if
one computer inside the firewall is infected, it can quickly infect all vulnerable
hosts in that local network with local preference scan.
Topological Scan
Topological scan can use the information within the victim machines to look for
new targets. The malicious program in an already infected host can search for
the URL contained in the disks. Then it can try to scan the servers corresponding
to those URLs. In most cases, those URLs are valid Web servers, which means
that the accuracy of this technique is extremely high. Another example is that the
Email worm can search for the contacts of the infected host, then spread itself to
those contacts [13]. Because this kind of scanning can have very accurate next
targets, it can achieve similar performance to that of hitlist scan.
Permutation Scan
In a permutation scan [14], all worms share a common pseudo random permutation of the IP address space. Such a permutation can be efficiently generated
using any block cipher of 32 bits with a preselected key: simply encrypt an index
to get the corresponding address in the permutation, and decrypt an address to get
its index. Any machines infected during the hitlist phase or local subnet scanning
starts scanning just after their point in the permutation and scan through the permutation, looking for vulnerable machines. Whenever it sees an already infected
machine, it chooses a new, random start point and proceeds from there. Worms
infected by permutation scanning would start at a random point.
This has the effect of providing a semi coordinated, comprehensive scan while
maintaining the benefits of random probing. Each worm looks like it is conducting
6
a random scan, but it attempts to minimize duplication of effort. This keeps the
infection rate higher and guarantees an eventual comprehensive scan. After any
particular copy of the worm sees several infected machines without discovering
new vulnerable targets, the worm assumes that effectively complete infection has
occurred and stops the scanning process.
2.2
Zombie Compromise
Software Vulnerability
Once the attacker has scanned and get a list of vulnerable hosts. He would need
to explore the vulnerabilities of the system to get control of the system. There
are many sources on the Internet reporting the software vulnerabilities of different
kinds of systems. For example, the Common Vulnerabilities and Exposures(CVE,
http://cve.mitre.org/cve/). Those information about the vulnerabilities can be used
to break into the system.
Buffer Overflow
A buffer overflow occurs when data written to a buffer, due to insufficient bounds
checking, corrupts data values in memory addresses adjacent to the allocated
buffer. This can cause the computer to return from a procedure call to malicious
code included in the data that overwrites the buffer. Thus the attacker can take
control of the victim.
Trojan Horse
A destructive program that masquerades as a benign application. Unlike viruses,
Trojan horses do not replicate themselves but they can be just as destructive. One
of the most insidious types of Trojan horse is a program that claims to rid your
computer of viruses but instead introduces viruses onto your computer.
2.3
Communication Channels
The communication channels between the attacker and the agents have two models:
• Agent-Handler Model This is the classic DDoS model. This model contains attacker, handlers and agents. The handlers are software planted on
7
computers throughout the Internet. Attacker communicates with the agents
through those handlers. Agents are the compromised machines the attacker
uses to launch the attack directly.
• IRC-based Model Internet Relay Chat (IRC) is a form of instant communication over the Internet. It is mainly designed for group (many-to-many)
communication in discussion forums called channels, but also allows oneto-one communication. In this model, IRC server is used to replaces the
handler, attackers can have more benefits. For example, attacker can conceal the commands in legitimate IRC traffic and don not need to maintain a
lot of address lists. Agents redirection and update is much easier. A single
command can make everybody switch to a new channel or to download the
updated modules. Thus using IRC for communication increase the survivability of the system.
2.4
Attack Strategies
DDoS attacks can be divided into two categories: bandwidth Attack and resource
attack. A bandwidth attack simply try to generatepackets to flood the victim’s network so that the legitimate requests can not go to the victim machine. A resource
attack aims to send packets that misuse network protocol or malformed packets to
tie up network resources so that resources are not available to the legitimate users
any more.
Bandwidth Attacks
• Flood Attack In a direct attack, zombies flood the victim system directly
with IP traffic. The large amount of traffic saturates the victim’s network
bandwidth so that other legitimate users are not able to access the service
or experience severe slow down. Normally in those attacks, the following
packets are used.
– TCP floods A stream of TCP packets with various flags set are sent to
the victim IP address. The SYN, ACK, and RST flags are commonly
used.
– ICMP echo request/reply (e.g., ping floods) A stream of ICMP
packets are sent to a victim IP address.
8
– UDP floods A stream of UDP packets are sent to the victim IP address.
• Reflected Attack A reflected denial of service attack involves sending forged
requests of some type to a very large number of computers that will reply to
the requests. Using Internet protocol spoofing, the source address is set to
that of the targeted victim, which means all the replies will go to (and flood)
the target. ICMP Echo Request attacks can be considered one form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast
addresses of mis-configured networks, thereby enticing a large number of
hosts to send Echo Reply packets to the victim. Some early DDoS programs
implemented a distributed form of this attack. Nowadays, DNS attacks using recursive name servers can create an amplification effect similar to the
now-aged Smurf attack [15].
Resource Attacks
• TCP SYN Attack The TCP SYN attack exploits the three-way handshake
between the sender and receiver by sending large amount of TCP SYN requests with spoofed source address. If those half-open connection binds
resources on the server or the server software is licensed per-connection, all
these resources might be taken up.
• Malformed Packet Attack A ping of death (abbreviated “POD”) is a type
of attack on a computer that involves sending a malformed or otherwise
malicious ping to a computer. A ping is normally 64 bytes in size; many
computer systems cannot handle a ping larger than the maximum IP packet
size which is 65,535 bytes. Sending a ping of this size often crashes the
target computer.
2.5
DDoS Attack Trends
There is little change in the nature of the targets of DoS attacks. The Internet community, ranging from individual end-users to the largest organizations, continues
to experience DoS attacks. Following are the technology trend of current DDoS
attacks [16]:
9
• Larger botnet size There is a steady increase in the ability for intruders to
easily deploy large DDoS attack networks. In the race of available consumable resources versus the ability to consume those resources, todays DDoS
networks continue to outpace available bandwidth in most cases.
• Advances in master-zombie communications Recently, there is an increase in intruder use of Internet Relay Chat (IRC) protocols and networks
as the communications backbone for DDoS networks. The use of IRC essentially replaces the function of a handler in older DDoS network models.
IRC-based DDoS networks are sometimes referred to as botnets, referring
to the concept of bots on IRC networks being softwaredriven participants
rather than human participants. The use of IRC networks and protocols
makes it more difficult to identify DDoS networks.
• Base on legitimate traffic Where packet filtering or rate limiting can be
effective to control the impact of some types of DoS attacks, intruders are
beginning to more often use legitimate, or expected, protocols and services
as the vehicle for packet streams. Doing so makes filtering or rate limiting
based on anomalous packets more difficult. In fact, filtering or rate limiting
an attack that is using a legitimate and expected type of traffic may in fact
complete the intruders task by causing legitimate services to be denied.
• Less reliance on source address spoofing Although it is still used, less
emphasis is put on source IP address spoofing in DoS attacks. With highly
distributed attack sources, that many times cross several autonomous system
(AS) boundaries, the number of hosts involved as sources of an attack can
be simply overwhelming and very difficult to address in response. Source
IP address spoofing simply is not a requirement to obfuscate large numbers
of attack sources and enable the attacking party to avoid accountability for
the attack.
The resulting attacks are hard to defend against using standard techniques, as
the malicious requests differ from the legitimate ones in intent but not in content.
Turing test is a desirable way to tell human from machines.
3
Taxonomies of DDoS Defense Mechanisms
The DDoS defense mechanisms can be roughly divided into two categories: Survival Mechanisms and Reactive Mechanisms.
10
3.1
Survival Mechanisms
Survival mechanisms involves increasing the effective resources to such a degree
that DDoS effects are limited. This kind of enlargement can be achieved statically
by purchase more hardware and use load balance techniques to increase the system
capacity, or dynamically by acquiring resources at the time of DDoS attack and
replicate the service.
In addition, Content Delivery Network (CDN) like Akamai [17] can be used
to assist this. CDN nodes are deployed in multiple locations, often over multiple
backbones. These nodes cooperate with each other to satisfy requests for content by end users, transparently moving content behind the scenes to optimize the
delivery process.
However, the arm race with DDoS attackers still seems to be hard for the
victims, as it is easier for attackers to acquire additional thousands of zombies
to win the race. Thus this kind of approach can not give a complete solution to
DDoS.
3.2
Reactive Mechanisms
Reactive mechanisms try to detect the occurrence of the attack and react to that
either by controlling attack streams, or by attempting to locate agent machines and
invoking human action. There has been numerous proposals and partial solutions
available today for react to the DDoS attack. Those reactive mechanisms can be
further divided into several classes:
3.2.1
Spoofing-based
For spoofing-based attacks, we need to identify the sources of attack traffic. This
kind of approaches [18] [19] [20] try to figure out which machines attacks come
from. Then appropriate measurement will be take on those machines (or near
them) and eliminate the attacks. In the case where attacker has a vast supply of
machines, the trace approaches become not too helpful. A good example of the
trace back technique is Traceback:
Traceback [18] is a technique for locating the agent machines making the
DDoS attacks. It helps a victim to identify the network paths traversed by attack traffic without requiring interactive operational support from internet Service
Providers. This approach is demonstrated in Figure 1. Each packet header may
carry a mark, containing the EdgeID, represented by the IP address of the two
11
Marking procedure at router R:
for each packet w
let x be a random number from [0..1)
if x < p then
write R into w.start and 0 into w.distance
else
if w.distance = 0 then
write R into w.end
increment w.distance
then a victim can
packets from the
the convergence
path lengths that
are generally wit
paper we will use
17]. For compa
108 packets usin
Path reconstruction procedure at victim v :
let G be a tree with root v
let edges in G be tuples (start,end,distance)
for each packet w from attacker
if w.distance = 0 then
insert edge (w.start,v ,0) into G
else
insert edge (w.start,w.end,w.distance) into G
remove any edge (x,y ,d) with d = distance from x to v in G
extract path (Ri ..Rj ) by enumerating acyclic paths in G
This same algor
cause attackers fr
tree structure use
needed to recons
packets needed t
number of attack
is it is impossibl
be spoofed, due
in a distributed a
the contents of a
with the ICMP T
incorporating a s
problem of attack
6
Figure
1: 4:
Traceback
edge sampling
algorithm
Figure
Edge sampling
algorithm.
was sampled.3 Any packets written by the attacker will necessarily
have a distance greater or equal to the length of the true attack path.
Therefore, a single attacker is unable to forge any edge between
themselves and the victim (for a distributed attack, of course, this
applies only to the closest attacker) and the victim does not have
12
to worry about “chaff” while reconstructing the valid suffix of the
attack path. Consequently, since we no longer use the sampling
rank approach to distinguish “false” samples, we are free to use
arbitrary values for the marking probability p.
The victim uses the edges sampled in these packets to create a graph
Of course, a sign
it requires additio
not backwards c
ified version of e
at some cost in p
large distributed
5. ENCOD
The edge sampli
packet (two 32-b
sent the theoretic
It would be poss
label stack [36],
routers forming an edge. This is used to specify an edge it has traversed. In addition, another field in the header is reserved to specify the distance from the edge
to the victim.
Routers mark the packets with some probability. And when a router decides
to mark a packet, it writes its own address into the start field of the EdgeID and
mark the distance field to zero. Otherwise, if the distance field is already zero
this indicates that the packet was marked by the previous router. In this case, the
router writes its own address into the end field of the EdgeID. Thus this represents
the edge between itself and the previous router. In addition, if the router doesn’t
mark the packet then it always increments the distance field. This is important
for assist in figure out the attacker spoofing those fields. The victim under attack
reconstructs the path from the marked packets using the algorithm described in
Figrue 1.
Strictly speaking, traceback does nothing to stop the DDoS attacks. Actually
it only identifies attackers’ true IP addresses within a subnet. If the IP spoofing
are prohibited in the Internet, traceback would be of no use. The pro side of
traceback is that it can be incrementally deployable, because edges are constructed
only between participating routers. It is effective for non-distributed attacks and
those highly overlapping attack paths. The information about the attack paths can
help locating routers close to the source. Yet the con side of this approach is that
packet marking incurs overhead at routers and reassembling the widely distributed
attack paths is computational expensive. Furthermore, the path reassembly is quite
complex and it is hard to make sure of its complete correctness. In addition,
because the routers only mark the packet probabilistically, chances are that some
of the packets are not marked at all. If those happen to be the spoofed packet from
the attacker, they can produce false outcome.
Fu-Hau [21] proposed a path-falsification-attack free PPM (Probabilistic Packet
Marking) algorithm called Path Information Caching and Aggregation (PICA)
that records paths of packet streams in fix length path messages, thus eliminating
the need of path reconstruction at the receiver end. PICA keeps an aggregate count
of the total number of packets from those network connections that are routed via
the same forwarding table entry. At the time that the packet count reaches a given
value, a path message will be triggered. This PICA path message is sent as an
ICMP packet to the destination address. When a downstream router receives a
path message created by some other router, the downstream router appends its
own ID to the message and forwards it to the same destination. PICA records in
each message the entire path from the path message-creating router to the path
message-triggering packet’s destination, so there is no need to reconstruct paths
13
at victims.
3.2.2
Non-spoofing-based
Filtering Based on Traffic Anomaly
Filtering and rate-limiting are the basis for most defensive approaches. This defense category addresses the core of the problem by limiting the amount of traffic
presented to target. Filtering drops packets with particular characteristics. As
long as the characteristics of the traffic are correctly identified, collateral damage
can be low, but there is no guarantee that enough packets have been dropped. On
the other hand, rate-limiting drops packets on basis of the amount of traffic. This
technique does assure that target is not overwhelmed, but part of the legitimate
traffic might also be dropped. Those filtering are done in the IP-layer.
* Core-based Filtering
Pushback [22] [23] is a mechanism to preferentially drop attack traffic to relieve
the congestion. Aggregate-based congestion control (ACC) that operates at the
granularity of aggregates was proposed. An aggregate is a collection of packets
from one or more flows that have some property in common. An example of
aggregates are TCP SYN packets and ICMP ECHO packets. To reduce the impact of congestion caused by such aggregates, two related ACC mechanisms are
used. The local aggregate-based congestion control (Local ACC), consists of an
identification algorithm used to identify the aggregate(s) causing the congestion,
and a control algorithm that reduces the throughput of this aggregate to a reasonable level. The second ACC mechanism, pushback, allows a routere to request
adjacent upstream routers to rate-limit the specified aggregates. Pushback prevents upstream bandwidth from being wasted on packets that are only going to be
dropped downstream. In addition, for a DoS attack, if the attack traffic is concentrated at a few upstream links, pushback protects other traffic within the aggregate
from the attack traffic. Figure 2 depicts the architecture of an ACC-enabled router.
Using this approach, even a few core routers are able to control the high volume attacks. ACC mechanisms fall between the traditional granularity of per-flow
control (which looks at individual flows) and active queue management (which
does not differentiate between incoming packets). This kind of separation of traffic aggregates improves current situation with the right granularity. As routers are
well equipped to handle high traffic volumes and deployment at a few core routers
14
w
ges
,$-.!/0!-1
1):1'
`U-5*d2?5
!)W/G
7
a‚30 . )C47'#
#H7-[X/3¤
7*d?51[[
+
=„K*
?4Lr3[+
K^[[
[C3
E&W)-)S2))*#
9'I1?5J/
U/C[C5
r
3+,)01^
E
3c1;&W*-
B:_
Bc1C4
['I/3
4Y %i 3
[!BV
Bc1C<
C3 . ':
Yes
In
Rate−Limiter
[independent drop decision
for each aggregate]
Packets surviving
the rate−limiter
High−BW
Agg?
Output Queue
No
Information on
identified aggregates
RED
Dropping?
No
FIFO
Out
Yes
ACC
Agent
.
SR+T; U-VW*XT7YZYH"[*$\]-!/#5
^2:/Architecture
_-V^.of`an"3ACC-enabled
*\`a0&\b
Packets
of!high-bandwidth
WcZ
-.aggregates
Figure
router.
through
d
!the
#"%$rate-limiter.
('!/#5eAllT?packets
$&$cdropped
/Fby\`RED
-ccOare \f
getoh;theiAjk
pass
passed
ACC Agent
forcidentifying
! \B!aggregates.
-?;T7YWY]T;*lVm-n\*oVmg`&*P / ,5
can affect many traffic flows due to core topology, this approach is possible to successfully control the attack and relieve congestion in the Internet. Yet on the other
hand, Pushback only works in contiguous deployment and deployment requires
modification of existing core routers and might need to purchase new hardware.
In addition, it will inevitably inflict collateral damage on legitimate traffic.
N /!P$3:$8 . /C[
<…„/3
834Z*E01/C . :!
&W*AV3[C[
[!3G3
V5-?5;%/3
aZ//
/qp N ƒ . /3
?4
A
/
E?3'IAO3*
)#9
3-3E*E-E/3^&W[_
TI3A
/?&V5;'L N /!PX33":I<SƒS7':X?31)/U'Ia7!/C:C?5
'#oJ
/C
D/Cn'ID/3^b5*
)*#o/C"?5o
C
?4
* Edge-based Filtering
&Wo=r .. )?3/Co)!)al/
0HB-/6/p5-[C
'I>&filtering
3monitors
:7;32and
5JT2filters
"the
/B&Vpackets
5r†*ˆ‡3that
j<_leave
H5internal
/C=
3E/ to
Egress
network
external
router
&Wpnetwork.
/r Certain
3":8can
-U)be
:!set)*#up/Din2the
?!;
D)-3to
[determine
. /C)#pwhether
/C0A+ a
. 7'2rules
packet
not.
?47&Wbefiltered
"r&^or5/;
/IfVthe
5packet
57
`pass
Dall
athe&rules,
/
:I< they are routed the
. /Cshould
sub-network. In DDoS attacks, the IP address of a packet are often be spoofed,
thus
source
this
packet
r\there
l/
EisaC/good
C:7probability
[ . of7'2that
3"that
:Isub-network.
47the^spoofed
ž §a§ When
01
2theaddress
firewall
0 5of7rule
5explicitly
a is
not a valid source address
3"+>)01*U%/3
X1[[
[C3D01/[8A/C
'[8[C+
filters out all the traffic without an IP address originating from this subnet, those
'I/
packets
<W>8with
U[spoofed
"
)KIP?3source
C4]3)-)Žaddresses
^/Cwill
'bediscard.
[A[C7'I/
G5/
DDoS
In/3Vingress
/C
filtering,
'Zpackets
U01coming
^301/Cinto
7 the
Anetwork
):D?3are
#filtered
[101if/3the
Gnetwork
3+
d2;'Iit)/Cshould
[[not/rsend
1packets
[[
[Cfrom
3DIPEaddress
01/3
Aof):!the
)*#_originating
/'IAcomputer.
5[
sending
33":A
Bc1 V01/
V
3c1`/C)-5D'I`5
/ .. ?5Al
/0—*?<
žV
G5
01-[;^)01*`l15
/
Z/C
'-[1['I/3
?4
. 7'23":A
?ša013[CUWa/;0<YG
. 'I[-o
3+,)01[J[C[3
[!Bp&W*6 . d?5o)01*?<
ƒS7'23":H . / . [C3?5D%
W . ?0Ÿ-X01)B
V0H+
"
?<
In order to do ingress filtering, the network needs to know which IP addresses
each of the networks it is connected to may send. This is not always possible.
For instance, a network that has a single connection to the Internet has no way
to know if a packet coming from that connection is spoofed or not. Thus this requires that the ingress filtering deployed at the border of Internet Service Providers
where address ownership is relatively unambiguous and traffic load is low. However, the success of ingress filtering requires widespread deployment. Yet up until
now, the majority of ISPs are reluctant to implement this service because of the
administrative complexity and potential overhead. In addition, even ingress and
egress filtering are universally deployed, attackers can still forge addresses from
the hundreds or thousands of hosts within a valid customer network [24].
Jelena et al. [25] suggested a distributed framework, the Defensive Cooperative Overlay Mesh (DefCOM) for DDoS defense. DefCOM consists of heterogeneous defense nodes organized in a peer-to-peer network, communicating to
achieve a dynamic cooperative defense. Figure 3 shows the high-level overview
of DefCOM’s operation. There are three types of nodes:
• Alert generator: detect the attack and inform other nodes
• Classifier: distinguish legitimate traffic from malicious traffic, forward the
legitimate packets marked with legitimate mark, limit the rate of the suspicious packets and mark them with monitored mark.
• Rate-limiter: limit the rate of all traffic to the victim and give the highest
priority to legitimate traffic.
Alert generators and classifiers deployed at the edge while rate-limiters deployed
at the network core. Alert generator at the victim-end can detect the malicious
traffic with high accuracy, while classifier at the source side can effectively stops
attacks with the information provided by the alert generator and thus the collateral
damage can be limited to minimum. Rate-limiter in the network core can handle
attacks from those networks that do not have classifier nodes.
DefCOM is different from other DDoS defense system in that it perform all actions in the place where they are most suitable to be carried out: accurate detection
in victim side, classification of the traffic types in the source side, rate-limiting in
the network core. In addition, the incremental deployment is possible as the core
nodes can handle attacks from legacy networks. On the other hand, this approach
is only effective with at least some core router deployment. In addition, the compromised overlay nodes can do harm to the DefCOM operation.
16
\(#EI.+*C0@69Z[62.+6@,5F
.+*6@,58G.#EI0909E.+69:,
(#E,5862.+6@:,œ3r.+456@8
\­¬Z[*-88+EF*-8
CE,fBvE&).+45*-,/.+62J
o>-&;((+*,.+021Ca)(+:J
5F4C62.S6@8u:=*(+*B
ª W z 45*HZ[:.+62J
@0rLd*H6@,;>(+*E8*-B
I(+V8slr62.+4b>-09E8GJ
#E,/.+*-*8R.+:w.+4;*-62(
fE(.+6EI0RB)*-a50@:1J
(r,5:B)*RB)*-a50@:1J
/:B\8*(+?)6@>-*S.+:OE
+69:,hD:I(B)*-a50@:1J
{6@,;6@.+69EI0pZ[:.+6@?EJ
&509B>-:Z[*rDM(+:Z
+:I.+*->.+*B[8*(+?*(
(+*3/.+4;*RB)*D*-,;8*
r62.+4k69,;>(+*EI869,;F
(#E.+69?*hB)*D*-,;8*
w>:(+*S,;*.gl':(+V8
#EI.+:(`E,fBY>-:I(+*
.!l:(+V 8.+:ad:02J
-:I(+*[,5:B)*-8Slr6@090
5*[>:/:ad*(#E.+69:,
EI0@09:l´EI>->-&;(#E.+*
5*u*=*->.r:IDˆ.+4;*
I09*(.SF*,5*(#E.+:(
6@,;FRLd*-,;*e5.ƒE,fB
6@,5>-*.+45*sad:8862J
Ea5a;021`.+:HZ[:I(+*
c
1
a
X
2
4
v
a
Y
3
a
Z
c
c
8
6
5
9
7
c
v DDoS victim
a DDoS attacker
c Legitimate client
Physical network
Rate limit
Defense nodes
Traffic Types
Core
Classifier
Alert generator
Unstamped
Approved
Monitored
Legacy router
¢M˜d¡ˆ¦™
w™)žGŸO”
&d™¦ ˆ ¢M™µ
Figure 3: DefCOM deployment overview
a509EI>-*h.+45*Z EI8o>-0@:8*h.+:w8:&)(+>-*O,5*.gl:I(+V8oE8Sad:886@L50@*Whnm.u.+45*
8+EZ[*.+6@Z[*3>-09E8862e5*(,5:B)*-8SB)6@=*(+*-,/.+6E.+*h0@*-F6@.+6@ZE.+*{DM(+:Z E.J
.#E>#V`8G.(+*EIZ[8-Whnq0@0p,5:B;*8S6@,k.+4;*{DM(#EIZ[*l:I(+V`F6@?A*{a;(+*DM*(+*-,/.+69E0
8*(+?6@>-*S.+:O0@*-F6@.+6@ZE.+*.(#E…[>W
17
5.1
XY4;*-,\Traffic
EhPRPS:/TwEITree
..#E>#V:/Discovery
>->-&)(+8-35.+45*SE0@*(.qF*-,;*(#EI.+:I(q,5:B;*o>09:8GJ
*-8G.{.+:\.+45*?69>.+69Z‹B)*.+*->.+8{6@.hE,5B<a;(+:afEFEI.+*-8s.+45*  ¹ ¿ º Á ¹#»
Âà ¹7.+:ŒEI0@0u,;:B;*-8O6@,b.+45*Had*-*([,;*.gl':(+VdWx†g,vƒ69F&;(+* 3mEI09*(.
F*,5*(#E.+:({,5:B;* B)*.+*->.+8sE7PRPS:/TŒE..#E>#V^:,<?6@>.+6@
Z EI,fB
of the syss, and disost. Secdiscusses
erview of
d Section
the attack
opped beher flows,
ose to the
gation of
llows the
her accuy to relay
e of their
rce router
network
e assume
ss set, eionfigurahe police
” to reach
ceive trafic routing
OBSERVATION
COMPONENT
CLASSIFICATION
TRAFFIC
STATISTICS
SOURCE
ROUTER
INTERNET
STATISTICS
MODELS
FLOW
CLASSIFICATION
D-WARD
RATE LIMIT
RULES
SOURCE
NETWORK
THROTTLING
COMPONENT
Figure Figure
1. D-WARD
architecture.
4: D-WARD architecture
The D-WARD [26] system is installed at the source router that serves as a gateway
between
the deployingcomponent
network (source
network) and
rest of thepassing
Internet.
The
observation
monitors
allthepackets
It monitors the behavior of each peer with whom the source network communithrough
thefor
source
and gathers
statistics
on two-way
cates, looking
signs ofrouter
communication
difficulties,
such as a reduction
in the
number
of
response
packets
or
longer
inter-arrival
times.
Periodically,
D-WARD
communication between the police address set and the rest
compares the collected statistics with a predefined model of normal traffic. If the
ofcomparison
the Internet.
This
can be
for exresult shows
thatmonitoring
there is the possibility
of aperformed,
DDoS attack, D-WARD
will impose
rate limit on
thetraffic
suspicious
flow for
this peer.
The archiample,
by asniffing
the
atoutgoing
the source
router
interfaces.
tecture of D-WARD is show in Figure 4
Periodically,
statistics are compared to models of normal
Each flow record kept by D-WARD contains statistics on three types of traftraffic
are
passed
themodels
throttling
component
fic: TCP,and
UDPresults
and ICMP.
D-WARD
usestothree
to analyze
those traffic
respectively:
which adjusts and transfers the new rate limit rules into the
source
router.
limits
1. TCP
normal The
trafficimposed
model. Thisrate
model
defines modify
a T CPrto , associated
which is the
allowed
ratioaffect
of the number
packets sent and received
in the
trafficmaximum
flows and
thus
futureofobservations,
closing
the
aggregate TCP flow to the peer. If a flow’s packet ratio is above this threshfeedback
old, itloop.
will be classified as an attack flow. The intuition behind this is the
amount of data send from the source is controlled by the constant flow of
acknowledgments from the destination. If the host ignores the TCP flow
2.2. Monitoring and attack detection
18
The observation component monitors two-way traffic at
flow granularity in order to detect difficulties in communication that could be a sign of a DDoS attack. A flow is
defined as the aggregate traffic between the police address
control, pumping out a lot of TCP packets while receives few acknowledgments, it can be classified as a malicious attacker.
2. ICMP normal traffic model. This model also defines a ICM Prto , which
is the maximum allowed ratio of the number of echo, time stamp, and information request and reply packets sent and received in the aggregate flow to
the peer. As for other ICMP messages, such as “destination unreachable”
etc., is expected to be very small. A predefined limit can control that part of
traffic.
3. UDP normal traffic model. This model defines the following set of thresholds: nconn , an upper bound on the number of allowed connections per destination, pconn , a lower bound on the number of allowed packets per connection, and U DPrate , a maximum allowed sending rate per connection.
The first two metrics try to identify a UDP attack through spoofed connections, while the third identifies a UDP attack through a few very aggressive,
non-spoofed connections.
D-WARD uses those simple metrics for fast detection and control of wide
range of attacks and have relatively low collateral damage. Deploying at the
source side help to stop attack as soon as possible. However, a major drawback is
that it is only effective in actually stopping attacks if deployed at most attacking
network. Otherwise, attackers can still successfully perform those attacks from
unprotected network. In addition, the incentive to deploy those system is pretty
low because this requires people to spend money and time to protect others.
A distributed firewall forms a virtual overlay network of nodes through which
all packets to the server should pass through. Thus the distributed firewall can
filter out the malicious DDoS attack traffic and protect the server from being overwhelmed.
Firebreak [27] is a distributed firewall for a server based on the use of IP-level
indirection. The basic idea is that source end hosts simply cannot send IP packets
directly to target hosts (e.g. in Figure 5, packets from host S addressed to T1). IP
reachability simply does not exist. IP packets addressed to the target are dropped
by legacy routers very near the source. Instead, packets must be addressed to
intermediate boxes, called firebreak boxes deployed near the edge. The firebreaks
map these firebreak addresses into the target addresses, and tunnel the packets
to the target. For instance, in Figure 5, S addresses packets to F1, which gets
delivered to a nearby firebreak (FS). The firebreak maps F1 into the target address
T1, and tunnels the packet to the target using its own unicast address FSu as the
19
ightweight
outers, but
argument.
minimum
ly simple
e schemes
o use the
g IP-level
d is similar
roach they
erations in
ssion, one
n a DDoS
hnical and
a solution
rent router
h a viable
ever initial
We also
n’t expect
he cost of
small as
he damage
e point of
ackets are
possible.
rther away
bandwidth
loser each
box has to
should be
rns means
d between
address FSu as the source address of the outer header.
If the target itself is incapable of de-tunneling these
packets, a proxy placed in the physical path near the
target can do it (or, if necessary, the firebreak could
NAT the packet). Reverse packets actually take a
different path back, as explained in Section 3.2.
S
FS
S,F1
(anycast)
FT
S, F1
FSu,T1
F1,S
T1
F1,S
T1,”FB”
(option 1)
F1,S
(option 2)
Figure
5: Packets
between non-protected
hostnon-protected
S and (protected) targethost
T1. Option
1 is
Figure
1: Packets
between
S and
(protected) target T1. Option 1 is where T1 cannot
spoof its source address, option 2 is where it can.
source address of the outer header. If the target itself is incapable of de-tunneling
where T1 cannot spoof its source address, option 2 is where it can.
these packets, a proxy placed in the physical path near the target can do it (or, if
DDoS the
monitor
functions
exists at the target (though
necessary,
firebreak could
NAT the packet).
firebreaks may feed statistics to the monitors to aid
*them).
Transparent
IP Layer Packet
Redirection simply pass all traffic to
Normally
firebreaks
A
key target.
challenge here
is how a
to transparently
intercept packets
without modifythe
When
monitor detects
an attack
or an
ing existing IP routing infrastructure. The work by Sriram [28] demonstrated the
overload, however, it sends control messages to the
possibility of redirecting incoming/outgoing packets through a node at the IP layer
appropriate
firebreaks
(e.g.network.
to address
Fu) the
requesting
requiring
no modification
to the existing
Figure 6 shows
control system
the IP redirection.defensive
Access Routers(AR)
the routers
which customers
theofappropriate
actionare(later
wetodiscuss
what
directly connect. Border Routers (BR) are the exit points for the POP. VON is
this
may
be).nodeItto may
turn
outarefor
instance
that
some
the
virtual
overlay
which the
packets
redirected.
And then
VON
will
forward
them to the
firebreaks
doBRs.
not have any or many attackers behind
For packet redirection to occur, the interface metrics is suitably manipulated
them, and therefore don’t need to be told anything.
such that the route to the external site is shortest when forwarded by the VON.
Thus the access routers will forward the packets to the VON. A static route is set
Of course, we don’t expect to see firebreaks
up in the VON that forwards all the packets destined to the external site to the
immediately
deployed
edge BRs
router
in the
BR
if those packets are
not filtered byat
this every
VON. To prevent
from forwarding
packets
back toso
the VON,
also announced
that the for
interface
cost between
Internet,
we VON
need
a strategy
incremental
deployment of firebreaks (accepting that the initial
20
deployment in any event must be big enough and
disperse enough to absorb a sizable attack). For this,
IP anycast is proposed [10]. All firebreaks advertise
the complete set of firebreak addresses into the routing
the BR and the VON is costly enough so that VON can no longer act as the next
hop router to the external site.
As shown in Figure 6, assume VON node announces that it is at distance d1
from the external site. if d1 + ari < bri + N , then all the access routers will send
the packets destined for that site through VON node. After the packets arrive at
the VON node, they are filtered according to predefined firwall rules. Legitimate
packets will be forwarded to the border router.
To prevent packets being redirected from the border router directly to the
VON, we must have: d2 + d1 > N ; to prevent packets being redirected from
the border router indirectly to the VON (e.g. through an access router), we have
ari + bri + d1 > N .
Thus, from the three equations mentioned above, we have:
d1 < brmin − armax + N
(1)
d1 > N − d2
(2)
d1 > N − brmin − armin
(3)
N − d2 < d1 < brmin − armax + N
(4)
N − brmin − armin < d1 < brmin − armax + N
(5)
Then,
For all practical purposes, d2 < brmin + armin , Thus we have:
N − d2 > N − (brmin + armin )
(6)
If ari , d1 , and d2 can be controlled, the above inequalities will be easily satisfied.
To manipulate those values, only modification to the OSPF daemon on the
VON is needed.
In order to manipulate the ari and d2 , the VON will be made the Designated
Router (DR). DR’s exist for the purpose of reducing network traffic by providing
a source for routing updates, the DR maintains a complete topology table of the
network and sends the updates to the other routers via multicast. This way all the
routers do not have to constantly update each other, and can rather get all their
updates from a single source. We need to set the VON as DR because we can
safely manipulate the ari and d2 . To announce distinct costs to the BRs and ARs,
the outgoing router link-state advertisements packets are subject to modification.
21
1. Packet Redirection
To the backbone network
Virtual link to the
site to be protected
N
N
BR
BR
br0
br1
d2d2
br2
VON
ar0
AR
d1
ar1
AR
Figure 6: IP redirection control system
Figure 1: Control System
If the IP packets’s destination is BR, modify the interface cost to d2 . If the packet
is destined to AR, set the link state cost to ari .
In order to announce the virtual cost of d1 , the VON is at the mean time set to
be ASBR. Thus VON can announce an external link-state advertisement message
for d1 .
Thus this approach does not require any other modifications to the source
clients, core routers and protected servers.
Access Routers(AR) are the routers to which customers directly connect. Bord
Routers (BR) are the exit points for the POP. VON is the virtual overlay no
which redirects the packets to itself before forwarding them to the BRs.
For packet redirection to occur interface metrics should be suitably manipulate
Ideally, it should be established that the route to the external site is shortest wh
forwarded by the VON. The access22 routers then forward the packets to t
VON. A static route could be set up in the VON that forwards all packe
destined to the external site to the BR.
We use
tributed
orks, to
ine that
hich we
lack of
attack is
y deterof being
nication
we mean
ypically,
ted and
allowed
e target.
purpose.
target,
protect
s. Both
ectional
ic” sites
e clients
e client)
use the
commuubstrate.
deliver
another.
overlay
cker. In
ain roles
livering
communications, masking them as legitimate. In addition, it
is conceivable that more intelligent attackers could monitor
communications between nodes in the overlay and, based on
observed traffic statistics, determine additional information
about the current configuration. Protecting SOS from such
attackers is beyond the scope of this paper [7].
Beacon
Beacon
Beacon
Secret
Servlet
Secret
Servlet
Secret
Servlet
Source
Point
overlay
nodes
SOAP
SOAP
Target
Filtered region
Fig. 1.
Basic SOS architecture.
Figure 7: System architecture of SOS
Filtering Based on Client “Authentication”
Figure
1 gives a high-level overview of the SOS architecture
Overlay-based
that *protects
a target node or site so that it only receives
Given the transmissions.
fundamentally open nature
ofthe
the Internet
and the apparent
reluctance
of we
legitimate
In
discussion
that
follows,
router vendors and network operators to deploy new mechanisms. Overlay-based
first approach
give asuchbrief
of[30]
theetc. design
process,approach.
and then
as SOSoverview
[29] and MayDay
provide an alternative
These approaches don’t require to change the network protocol or routers. Such
develop
the architecture piece by piece. The reader can refer
system uses Internet-wide network of nodes to act as a distributed firewall, and
backcarry
to the
figure during
out authentication
for the the
clients.discussion.
The protected servers hide behind the
overlay network, only authorized clients can access protected servers through the
overlay network.
The goal of the SOS [29] architecture is to allow communication between a
confirmedRationale
user and a target and all the other traffic are dropped. SOS is a network
A. Design
overlay composed of nodes that communicate with one another atop the underlying network infrastructure.
reach the server. Atis
Fundamentally,
the Clients
goal use
ofoverlay
the network
SOS toinfrastructure
the overlay entrance, the clients are authenticated. Only a small set of source
to
distinguish between authorized and unauthorized (or, more
generally, unverified) traffic. The
23 former is allowed to reach the
destination, while the latter is dropped or is rate-limited. Thus,
at a very basic level, we need the functionality of a firewall
“deep” enough within the network so that the access link to the
target is not congested. This imaginary firewall would perform
addresses are approved to reach the server while all other traffic is filtered out.
The forwarding of a packet within the SOS architecture, depicted in Figure 7,
proceeds through the following stages:
• Users first contacts nodes that can check its legitimacy and let him access
the overlay. Those nodes are called a SOAP. SOAP will receives and verifies
that the source point has a legitimate communication for the target.
• The SOAP routes the packet to a special node, called the beacon, in the SOS
architecture using chord. Chord is overlay routing algorithm in which the
node IDs are hashed into the routing table and packets are routed to those
hashed identifiers. It is guaranteed to reach node with a given nodeID within
O(logN) hops. In SOS, the target IP address are used as the node ID.
• The beacon forwards the packet to a “secret” node, called the secret servlet,
whose identity is known to only a small subset of participants in the SOS
architecture. Secret servlets actually act as a firewall here and their identity
has to be hidden because their source address is a passport for the realm
beyond the firewall.
• The secret servlet finally forwards the packet to the target.
• Filters around the target stops all traffic from reaching the target except for
traffic that is forwarded from a point whose IP address is the secret servlet.
In this approach, access points can distinguish legitimate packets from attack
packets. Overlay network protects traffic flow with firewall prevents the attack
packets reach the server. So the redundancy in the overlay network together with
the secrecy of the path to the target prevents DDoS attacks on SOS. On the other
hand, client must be aware of overlay and use it to access the victim, thus this
requires modification on the client side. Traffic to the target might need to go
through several extra intermidiate nodes in the overlay network. This costs extra
overhead.
Angelos et al. [31] further addressed the problem that opponents can use their
limited attack capabilities against a time-changing set of overlay nodes. They
proposed a stateless spread-spectrum paradigm to create per-packet path diversity between each pair of end-nodes using a modified Indirection-based overlay
networks(IONs).
OverDoSe [32] isolates the home server by placing it on a private network that
is logically separate from the ISP’s IP routing infrastructure. ISP then configures
24
tunnels between the overlay nodes and the server to allow only them to reach the
server. Such a private network can be established using an ISP’s existing VPN
technology, by configuring MPLS or other tunnels between the overlay nodes and
the edge. This approach eliminate the need to use filters around the target to stop
the traffic not originating from the overlay nodes.
* Turing test
In DDoS attack, instead of identifying individual users, we just need to distinguish
between humans and machines as all known DDoS attacks are based on automated
agents.
Efforts to tell human and machine apart have led to a family of new security
protocols known as “Human Interactive Proofs,” or HIP’s. For our purposes, one
type of HIP is of particular interest: “Completely Automatic Public Turing tests to
tell Computers and Humans Apart,” or CAPTCHA’s [33]. CAPTCHA challenges
exploit gaps in the perceptual abilities between humans and machines. To date,
most applications of this paradigm involve requiring the user to transcribe a text
string that is presented in image format. Usually, the image is degraded in ways
that cause no difficulty for a human user but which make the corresponding machine vision problem difficult. However, such tests can also involve recognizing a
spoken utterance, solving a puzzle, etc [34].
Kill-Bots [35] is a kernel extension to protect Web servers against DDoS attacks that mimic flash crowds. Figure 9 summarizes the stages of Kill-Bots processing. When a new connection arrives, it is first checked against the list of
detected zombie address. If the IP address is not recognized as a zombie, KillBots admits the connection with probability decided by the current load. In Stage
1, admitted connections are served a graphical puzzle. If the client can solves
the puzzle, it is given a Kill-Bots HTTP cookie which allows its future connections, for a short period, to access the server without being subject to admission
control and without having to solve new puzzles. While in Stage 2, Kill-Bots no
longere issues puzzles, admitted connections are immediately given a Kill-Bots
HTTP cookie. That is because during Stage 1, Kill-Bots should have identified
the malicious attacker and added them in the recognized zombie list. Figure 8
shows the graphical tests that Kill-Bots used to authenticates clients.
WebSOS [36] is a overlay-based architecture use graphical Truing tests to authenticate the clients accessing the web server. WebSOS is based on the SOS [29]
overlay architecture.
Both Kill-Bots and WebSOS requires no modifications to either servers or
25
rol.
hanism is ac2 stages:
sion to solve
server. Hubut zombies
though Killng tests. Ley to reload a
e server, dembies which
ing new reuses this dif-
ACK
time
Request
Send
Test TCP-FIN
SYN
Cookie
Kill-Bots
Server Kernel
No Socket!
Figure 3: Kill-Bots modifies server’s TCP stack to send tests
to new clients without allocating a socket or other connection resources.
Figure 4:
Screenshot
graphical
Figure
8: Screenshot of
of aagraphical
puzzle. puzzle.
<html>
<form method = “GET” action=“/validate”>
<img src = “PUZZLE.gif”>
<input type = “password” name = “ANSWER”>
<input type = “hidden” name = “TOKEN” value = “[]”>
</form>
</html>
Admission
Connection from
Unauthenticated
client
recognized
zombie IP?
no
Control
α = f (load)
admit
Stage?
Stage1
serve
puzzle
Stage
Figure 5: HTML
source for the puzzle
yes
2
Puzzle ID (P)
drop
Random (R)
drop
Creation Time (C)
accept
Hash (P, R, C, secret)
32
96
32
32
Figure
Kill-Bots
that
graphical
puzzles
Figure 9: 1:
Stages
of Kill-BotsOverview.
processing. TheNote
graphical
puzzles
are only served
during
Stage1.
are only served during
1.
FigureStage
6: Kill-Bots
Token
bie addresses. If the IP address is not recognized as a
server
TCP
stack. As
shown
Fig. 3, similarly
to a typizombie,
Kill-Bots
admits
theinconnection
with probabilcal
server responds
to a SYN
ityTCP
α =connection,
f (load). Ina Kill-Bots
Stage261 , admitted
connections
are
packet
a SYNpuzzle.
cookie.IfThe
clientsolves
receives
SYN
servedwith
a graphical
the client
thethe
puzzle,
cookie,
increases
its congestion
window
two packets,
it is given
a Kill-Bots
HTTP cookie
whichtoallows
its futransmits
a SYNACKACK
the first
data packet
that
ture connections,
for a shortand
period,
to access
the server
usually
the HTTP
request. control
In contrast
to a typwithoutcontains
being subject
to admission
and without
ports the an
the kernel
SWER (see
established
Note the
trol semant
ware, and p
establishin
(b) One T
legitimate
request or
gives an H
rectly. Thi
for a speci
T = 30m
by a crypto
server crea
cation with
(c) Crypto
issues a pu
token cons
number R,
32-bit colli
the server
HTML for
When a
answer to t
server first
Second, th
the token w
the server c
all checks
HTTP coo
ated from
and record
cookies. S
browsers. The technologies they make use of, like graphical Turing tests, web
proxies and client authentication using the SSL/TLS protocol are all readily supported by modern browsers.
Those graphical CAPTCHA requires to send images from the server to the
client for authentication actually consumes quite considerable bandwidth. Low
bandwidth Turing test, such as Text-based Turing test can be a plus for use in this
scenario to save the precious network resources. Yet currently, the effectiveness
of this kind of tests based on sense-ambiguity or question-answer are still not very
clear. We will review some work on the text domain Turing tests.
The earliest attempt to create text-based CAPTCHA was made by Godfrey [37].
In his first approach, he randomly selected a word from a piece of text taken
from a datasource of human-written text, and substituted it by another word selected at random, in the hope that it would be easy for humans to pick that word
(because it didn’t fit in the context), but difficult for computers. However he could
write a program that had considerable success-rates in “cheating” the test by taking into account statistic characteristics of natural language. In a second approach,
he used a statistic model to generate essentially meaningless text in order to get
a “bad” sentence, and selected a “good” sentence from a repository of humanwritten text. The idea was that, after applying random transformations to both, a
human should still be able to distinguish between the good and the bad sentence,
which turned out not to be the case. Godfrey concluded his contribution with a discussion of why text was so much more problematic a medium for the construction
of CAPTCHA than images or sounds. He attributed this to the fact that humans
are more often exposed to distorted images and sounds than to distorted text, and,
as a result, it is more difficult for humans to recognize distorted text [37].
Richard et al. proposed to use the problem of sense-ambiguity for generating
text-based CAPTCHA to be used in fighting with DoS attacks and spam. The
problem of word-sense ambiguity is closely linked to the notion of synonymy
defined by Miller et. al. [38]:
”According to one definition (usually attributed to Leibniz) two expressions
are synonymous if the substitution of one for the other never changes the truth
value of a sentence in which the substitution is made.By that definition, true synonyms are rare, if they exist at all. A weakened version of this definition would
make synonymy relative to a context: two expressions are synonymous in a linguistic context C if the substitution of one for the other in C does not alter the
truth value.”
For example, move, in a sense where it can be replaced by run or go, has a
different meaning than move, in a sense where it can be replaced by impress or
27
Pick the sentences that are
meaningful replacements of each other:
The
The
The
The
The
speech
speech
speech
speech
speech
has
has
has
has
has
to
to
to
to
to
move through several more drafts.
run through several more drafts.
go through several more drafts.
impress through several more drafts.
strike through several more drafts.
Fig. 3. A task that is difficult for a computer but trivial for a human.
Figure 10: A task that is difficult for a computer but trivial for a human.
strike. Figure 10 an example generated by the system
Anand [39]
designed a text-based
Test based
on question-answering.
text in everyday
written-language.
ByTuring
selecting
word-senses
that are especially
They
modified
the
ASTROGEN,
an
open-source
Natural
Language
Generation
difficult to disambiguate, eventually checking whether a test can
be passed by
system, to generate questions. The system generates three types of logical quesany of the
well-known techniques before presenting it to the testee, we can make
tions:
work much harder for WSD systems.
4
1. Counting based questions These questions utilize cardinality associated
with the objects in a sentence, which are added together. An example is “2
boys walk into
the shop. 3 girl walks into the shop. 1 boy walks out of the
Constructing
HIPs
shop. How many people are in the shop?”
For the construction
of questions
an HIP Tense
basedbased
on sense-ambiguity,
we need
corpus C,
2. Tense based
questions utilize the tense
of the averb
which is a collection
correct
natural
language
sentences.
Furthermore
to create aoflogical
question.
An example
is “Helen
has a red
car. Mark haswe need
a
white
car.
Mark
sold
a
car.
Who
has
a
car?”
a lexicon consisting of the set of words W and the organization of these words into
synsets S1 3.
, . .Common
. , Sn with
Si based
⊆ W questions
for 1 ≤ Both
i ≤ n.
Denote the set of all synsets by
sense
the above questions can be augW
S = {S1 , . . . ,mented
Sn } ⊆with
2 common
. Both sense.
the corpus
and
theis lexicon
can
safely be aassumed
Common
sense
introduced
by associating
public wisdom.
we need
to rely
on a private
database
establishing
a
trait However
with each lexicon
terminal.
For example,
all fruits,
such as apple,
orcan be given
a common
fruit.
So, when
mapping sa :anges
C ×and
W peaches
7→ S, which
we will
refer sense
to astrait,
thecalled
secret
annotation.
a question like “How many fruits are there?” is to be generated, some lexical
items containing
be included
in the question
The Public Lexicon:
The the
settrait
Wfruit
is will
a table
containing
words,description.
represented by
Similarly, adding the gender to objects and people is another common sense
character-coded
strings. The set S is stored as a table associating words and
trait.
symbolic tokens in such a way that each group of words assigned to the same
addition,
proposed equivalence-class
a way to add errors inrelative
the generated
question
to make context
symbolicIntoken
is they
a semantic
to some
linguistic
it
more
difficult
for
natural
language
processing
tools
to
understand.
(similar to the intuitive picture of synsets presented in the previous section).
The Public Corpus: Each sentence c ∈28C contains at least one word wc that is
contained in at least two distinct synsets Sa , Sb ∈ S, so that wc ∈ Sa ∩ Sb . Thus,
looking up the word wc in the table representing S yields multiple symbolic
tokens, indicating that wc has different meanings.
The Secret Annotation: If two synsets Sa and Sb contain word wc , the annotation
Further research on exploring the other inherent ambiguity aspects in human
languages are still needed to develop effective Turing test.
* Synthetic Authentication
NetBouncer [40] is a client-legitimacy-based DDoS filtering. It tries to detect
legitimate clients and only serve their packets. NetBouncer is deployed near the
victim side and it is an inline defense device deployed in front of the possible
choke point. A NetBouncer device maintains a large legitimacy list of clients that
have been proved to be legitimate. If packets are received from a client (source)
not on the legitimacy list, a NetBouncer device will proceed to administer a variety
of legitimacy tests to challenge the client to prove its legitimacy. In addition,
NetBouncer uses various QoS techniques to assure fair sharing of resources by
legitimate client traffic. The legitimacy of a client expires after a certain interval.
NetBouncer proposed several levels of legitimacy tests:
• Packet-based tests In this kind of test, the decision as to whether a packet
can be passed is made solely by examining the contents of the packet. For
example, for those packet whose source is not recognized to be in the legitimacy list, NetBouncer will challenge the source of the packet by sending
to this source an ICMP echo request. In order to avoid storing state in NetBouncer, the original packet is encapsulated in the payload of the outgoing
ICMP echo request. When the ICMP echo reply packet is receives, NetBouncer extracts the original request from it and forwards to the destination.
However, this approach might not be feasible these days because firewalls
and routers are normally configured to not respond to echo requests.
• Flow-based tests In contrast to a packet-based test, these kinds of tests
might apply to the entire stream of packets that belong to a flow. An example for this is using stateless TCP SYN cookies to validate the transport
layer TCP connection.
• Application and session-oriented legitimacy tests These tests understand
application level abstractions and structures as well as session semantics.
For example, the application layer Turing-style test for the presence of a
human user.
NetBouncer can ensures good service to legitimate clients in the most of the
cases and does not require modifications to clients or servers. Its stateless legitimacy tests can prevent DoS attacks on NetBouncer itself. However, some of the
29
legitimate clients will not be validated. For instance, when NetBouncer tries to
use the ICMP echo message to validate the client while the firwall on the client
has blocked out this kind of traffic. What’s more, the challenge generation may
also impose heavy load on NetBounce. The use of only legitimate IP list have the
potential problem that legitimate client identity can be misused for attacks. After
all, a large number of agents can still degrade service to legitimate clients.
Deterrence Through “Pricing”
Resource limitation approaches try to limit an individual attack machine to use
many of a target’s resources. Clients have to “pay” in the form of computational
resource in order to send requests, for example, solving some puzzles. A limitation of this approach is that existing legitimate senders normally do not set up to
process the extra work or support the authentication process. So in many cases,
this approach requires the change to the client software.
Juels et al. [41] proposed the idea of using client puzzles to preserve resources
during connection depletion attack. When the attack occurs, server distributes
small cryptographic puzzle to clients requesting for service. Those puzzles are
easy to compose for the server, yet they requires quite some resource for the client
to solve the puzzle. Server determines the difficulty of the puzzle according to
its resource consumption status. If the solution client sends back to the server is
correct and within the specified time limit, server will allocation resources and
establish the connection with client. The puzzle generation is stateless and clients
cannot reuse the puzzle solutions, thus attacker cannot make use of the intercepted
packets.
Client puzzles have low overhead on server and at the same time forces the attacker to spend resources and thus protect server resources from depletion. However, this approach does not work against highly distributed attacks and does not
work for the bandwidth consumption attacks. Yet when combined with other
DDoS approach, client puzzles can improve the performance of the defense system.
3.3
DDoS Attack Solution Considerations
An ideal DDoS defense solution should have the following characteristics: effective, transparent to existing Internet infrastructure, low performance overhead,
invulnerable to attacks aim at defense system, incremental deployable and no impact on the legitimate traffic. We will further discuss the solutions to DDoS attack
30
based on those considerations.
1. Effectiveness Whether this can stop attacks on the spot regardless of whether
it is a disruptive attack or degrading attack, regardless of its strength?
In the approaches for identify the source of attack traffic, Traceback facilitates locating routers close to the attack sources. Yet it does not work well
for highly distributed attacks and its result is not 100% accuate. It is more
effective for non-distributed attacks and for highly overlapping attack paths.
Packet marks used in Traceback can be forged by the attackers. PICA, on
the other hand, records paths of packet streams in path messages (sent as
an ICMP message), thus eliminating the need of path reconstruction at the
receiver end. This approach is more efficient in constructing the attacker
map in DDoS.
In the attempts to filter the traffic, pushback is likely to successfully using
the core routers to control the attack, relieving congestion in the Internet. DWARD tries to protect the server from the source end, and thus can be able
to fast detect of attacks and fast removal of rate limit when attack stops.
DefCOM adopts a distributed deployment and performs the action in where
most successful: accurate detection at the victim, rate-limiting in the core
and traffic differentiation at the source.
In the approach to authenticate the client, NetBouncer Successfully defeats
spoofed attacks. Large number of agents can still degrade service to legitimate clients, creating flash crowd effect. Some legitimate clients do not
support certain legitimacy tests (i.e. ping test). Kill-bots uses a stateless authentication, provides solution to serves legitimate users who dont answer
CAPTCHAs and optimizes the balance between authentication & service.
It also improves the performance during Flash Crowds. All those make
Kill-bots an efficient solution for online web business. Low Bandwidth Turing Test facilitates to defeat software agents without aggravating the DDoS
problem, which makes the Turing test approach more effective.
2. Transparency to existing Internet infrastructure
Most of the approaches requires the changing of the Internet infrastructure,
thus make the solution not so applicable. For example, the deployment of
pushback requires modification of existing core routers and likely purchase
of new hardware.
31
The use of overlay network provide an alternative approach. These approaches don’t require to change the network protocol or routers. Such
system uses Internet-wide network of nodes to act as a distributed firewall,
and carry out authentication for the clients. The protected servers hide
behind the overlay network, only authorized clients can access protected
servers through the overlay network. Overlay network is nothing but a nontransparent way of packet interception. Once all incoming packets into a
protected server can be intercepted, whether the server’s identity is secret or
not is immaterial.
The work of Sriram [28] demonstrated the possibility of redirecting incoming/outgoing packets through a node at the IP layer requiring no modification to the existing network.
3. Extent of modification to client-side software
Most of the solutions don’t require the modification to client-side software,
like Egress Filtering, Ingress Filtering NetBouncer etc.
Yet the following solutions require the client-side change: In SOS, clients
must be aware of overlay and use it to access the victim. When Client
Puzzles are used, client modification is required to support receiving and
solving the puzzles.
4. Performance overhead The defense system should be reasonably inexpensive no matter in the presence of attack or not.
Some of the approaches have little overhead, for example, in Pushback, the
operation is simple and nearly no overhead for routers. And D-WARD has
small processing and memory overhead. Some other approaches might have
more overhead. In SOS, the traffic routed through the overlay travels on
suboptimal path. In traceback, Packet marking incurs moderate overhead
at routers. Yet Reassembly of distributed attack paths is prohibitively expensive, but this can be countered by doing the computation offline. When
using the Client Puzzles, the puzzle verification consumes quite some of
server resources.
5. Whether the defense systems themselves are vulnerable to attacks Most
of the approaches use the stateless way of operation. Thus attackers can not
launch state-consumption attack on these defense systems. For example, in
NetBouncer, all legitimacy tests are stateless, thus defense system cannot
32
be target of state-consumption attacks. Challenge generation may exhaust
defense
Some systems resort to redundancy and encryption to prevent attack. For
instance, SOS relies on redundancy in the overlay and secrecy of the path to
the target to provide security against DoS attacks on SOS. Yet when one of
the node in SOS is compromised by the attacker, the target will be exposed
to the outside world.
6. Deployable Is there economic incentive for deployment? Is incremental
deployment feasible? pushback: Deployment at a few core routers can affect many traffic flows, due to core topology. Yet Pushback only works in
contiguous deployment
According to the requirement for deployment, the solutions can be divided
into the following:
• Incrementally Deployable Traceback is an example. It is incrementally deployable, a few disjoint routers can provide beneficial information;
• Legacy Compatibility For instance, in DefCOM, the Core nodes handle attacks from legacy networks. The overlay architecture provides
scalability and only a few deployment points are needed.
• Large Initial Deployment Required Firebreak falls in this category.
Initial firebreak deployment must be large. Even if there is only one
protected target, the initial firebreak deployment must be large enough
to repel the largest expected attack.
7. Accuracy of DDoS Defense DDoS defense usually requires dropping packets. But at the same time, legitimate traffic should be protected. Collateral
damage should be kept minimum. Pushback minimizes collateral damage
by placing response close to the sources. Collateral damage is inflicted by
response, whenever attack traffic is not clearly different than legitimate traffic. DefCOM uses selective response provides low collateral damage. In the
case of using Turing test for client authentication, if the human client can
not solve the Turing test properly, he might be refused for futher communication. Kill-bots distinguished the human user and attack agent further by
how many unsuccessful attempts they have made. Then human users who
do not answer CAPTCHAs can access the server despite the attack in the
second stage.
33
4
Proposed Solution
Currently intruders are beginning to more often use legitimate, or expected, protocols and services as the vehicle for packet streams. The resulting attacks are hard
to defend against using standard techniques, as the malicious requests differ from
the legitimate ones in intent but not in content.
Thus a lot of approaches described in this survey are not suitable to handle
this kind of traffic. Filtering or rate limiting based on anomalous packets are not
feasible at all. In fact, filtering or rate limiting an attack that is using a legitimate
and expected type of traffic may in fact complete the intruder’s task by causing
legitimate services to be denied.
Currently, the most feasible way to handle this kind of situation is using the
Turing Test mechanism as in Kill-bots. The graphical CAPTCHAs are most
widely used today. It consists of a picture with some degraded or distorted image,
which will take up a lot of valuable bandwidth especially in the case of the attack.
Those graphical CAPTCHA consists of a picture with some degraded or distorted image. In the case of DDoS attack, sending those images from the server
to the client for authentication actually consumes quite considerable bandwidth.
T. Y. Chan has used the text-to-speech approach to generate the audio-based Turing test, yet it shows that the audio CAPTCHA largely ineffective. And actually
audio-based Turing test will also consume remarkable bandwidth. Thus low bandwidth Turing test is very desirable for preventing the DDoS attack.
One possible low-bandwidth Turing test is using text-based question answering, since computational linguistics is one of the most prominent research disciplines in artificial intelligence, and at the same time, Turing test in text format
normally consume much less bandwidth. Although humans find it easy to understand the natural languages, computers do not. The following problems make it
pretty difficult for natural language processing [42].
1. Speech segmentation In most spoken languages, the sounds representing
successive letters blend into each other, so the conversion of the analog signal to discrete characters can be a very difficult process. Also, in natural
speech there are hardly any pauses between successive words; the location
of those boundaries usually must take into account grammatical and semantical constraints, as well as the context.
2. Text segmentation Some written languages like Chinese and Thai do not
have signal word boundaries either, so any significant text parsing usually
34
requires the identification of word boundaries, which is often a non-trivial
task.
3. Word sense disambiguation Many words have more than one meaning; we
have to select the meaning which makes the most sense in context.
4. Syntactic ambiguity The grammar for natural languages is ambiguous, i.e.
there are often multiple possible parse trees for a given sentence. Choosing
the most appropriate one usually requires semantic and contextual information. Specific problem components of syntactic ambiguity include sentence
boundary disambiguation.
5. Imperfect or irregular input Foreign or regional accents and vocal impediments in speech; typing or grammatical errors, OCR errors in texts.
6. Speech acts and plans Sentences often don’t mean what they literally say;
for instance a good answer to “Can you pass the salt” is to pass the salt; in
most contexts “Yes” is not a good answer, although “No” is better and “I’m
afraid that I can’t see it” is better yet. Or again, if a class was not offered last
year, “The class was not offered last year” is a better answer to the question
“How many students failed the class last year?” than “None” is.
These difficulties are what researchers can employ to generate effective textbased Turing test.
5
Conclusion
DDoS attacks are quite advanced and powerful methods to attack a network system to make it either unusable to the legitimate users or downgrade its performance. They are increasingly mounted by professional hacks in exchange for
money and benefits. Botnets containing thousands of nodes impose a severe hazard to the Internet online business. Yet there seems to be no “silver bullet” to
the problem. This survey examines the possible solutions to this problem, provides a taxonomies to classify those solutions and analyzes the feasibility of those
approaches. Based on the analysis of existing solutions, we proposed desirable
solution to defend DDoS.
35
References
[1] N. Long S. Dietrich and D. Ddittrich, “Analyzing distributed denial of service tools:
the shaft case,” in Proceedings of the LISA XIV.
[2] Gary C. Kessler,
“Defenses against distributed denial of service attacks,”
http://www.garykessler.net/library/ddos.html, November 2000.
[3] Celeste Biever,
“How zombie networks fuel cybercrime,”
http://www.newscientist.com/article.ns?id=dn6616, November 2004.
[4] Joris
Evers,
“Dns
servers
do
hackers’
dirty
work,”
http://news.com.com/DNS+servers+do+hackers+dirty+work/2100-7349 36053468.html.
[5] US-CERT, “The continuing denial of service threat posed by dns recursion,”
http://www.us-cert.gov/reading room/DNS-recursion121605.pdf.
[6] P. Barford V. Yegneswaran and J. Ullrich, “Iinternet intrusions: Global characteristics and prevalence,” in Proceedings of the 2003 ACM SIGMETRICS, 2003.
[7] C. Zou, D. Towsley, and W. Gong, “the performance of internet worm scanning
strategies,” 2003.
[8] “Code-red: a case study on the spread and victims of an internet worm,” in Proceedings of the Internet Measurement Workshop (IMW), 2002.
[9] S. Savage C. Shannon S. Staniford D. Moore, V. Paxson and N. Weaver, “Inside the
slammer worm,” IEEE Magazine on Security and Privacy, vol. 1(4), pp. 33–39, July
2003.
[10] V. Paxson S. Staniford and N. Weaver, “How to own the internet in your spare time,”
in 11th Usenix Security Symposium, San Francisco, August 2002.
[11] C. Zou, D. Towsley, W. Gong, and S. Cai, “Routing worm: A fast, selective attack
worm based on ip address information,” 2005.
[12] “Reserved ipv4 addresses,” http://www.cidr-report.org/v6/reserved-ipv4.html.
[13] C. Zou, D. Towsley, and W. Gong, “Email virus propagation modeling and analysis,”
.
[14] Nicholoas Weaver, “Potential strategies for high speed active worms: A worst case
analysis,” U.C.Berkerley BRASS Group.
36
[15] Randal Vaughn and Gadi Evron, “Dns amplification attacks preliminary release,”
March 17 2006.
[16] Kevin J. Houle and George M. Weaver, “Trends in denial of service attack technology,” http://www.cert.org/archive/pdf/DoS trends.pdf, October 2001.
[17] ,” http://www.akamai.com/.
[18] Stefan Savage, David Wetherall, Anna R. Karlin, and Tom Anderson, “Practical
network support for IP traceback,” in SIGCOMM, 2000, pp. 295–306.
[19] Alex C. Snoeren, Craig Partridge, Luis A. Sancheq, Christine E. Jones, Fabrice
Tchakountio, Stephen T. Kent, and W. Timothy Strayer, “Hash-based ip traceback,”
.
[20] S.
Bellovin,
“Icmp
traceback
messages,”
http://www.research.att.com/ smb/papers/draft-bellovin-itrace-00.txt, 2000.
[21] Fu hau Hsu and Tzi cker Chiueh, “A path information caching and aggregation
approach to traffic source identification,” .
[22] John Ioannidis and Steven M. Bellovin, “Implementing pushback: Router-based
defense against DDoS attacks,” in Proceedings of Network and Distributed System
Security Symposium, Catamaran Resort Hotel San Diego, C alifornia 6-8 February
2002, 1775 Wiehle Ave., Suite 102, Reston, VA 20190, February 2002, The Internet
Society.
[23] R. Mahajan, S. Bellovin, S. Floyd, J. Vern, and P. Scott, “Controlling high bandwidth
aggregates in the network,” 2001.
[24] Computer Emergency Response Team, “Cert advisory ca-2000-01 denial-of-servic
developments,” http://www.cert.org/advisories/CA-2000-01.html, January 2000.
[25] J. Mirkovic, M. Robinson, P. Reiher, and G. Kuenning, “Alliance formation for ddos
defense,” 2003.
[26] J. Mirkovic, G. Prier, and P. Reiher, “Attacking ddos at the source,” 2002.
[27] Paul Francis,
“Firebreak:
An ip perimeter defense architecture,”
www.cs.cornell.edu/people/francis/firebreak-short-04.pdf.
[28] Sriram Krishnamurthy, “Ip layer packet redirection,” M.S. thesis, S.U.N.Y. Stony
Brook, 2004.
[29] A. Keromytis, V. Misra, and D. Rubenstein, “Sos: Secure overlay services,” 2002.
37
[30] D. Andersen, “Mayday: Distributed filtering for internet services,” 2003.
[31] Angelos Stavrou and Angelos D. Keromytis, “Countering dos attacks with stateless multipath overlays,” in ACM Conference on Computer and Communications
Security 2005, Alexandria, Virginia, USA.
[32] David Andersen Elaine Shi, Ion Stoica and Adrian Perrig,
“Overdose: A generic ddos protection service using an overlay network,” reportsarchive.adm.cs.cmu.edu/anon/2006/CMU-CS-06-114.ps.
[33] L. von Ahn, M. Blum, N. Hopper, and J. Langford, “Captcha: Using hard ai problems for security,” in Proceedings of Eurocrypt, pp. 294–311.
[34] Daniel
Lopresti,
“Leveraging
the
captcha
www.cse.lehigh.edu/prr/hip2005/Presentations/Lopresti HIP2005.pdf.
problem,”
[35] Matthias Jacob Srikanth Kandula, Dina Katabi and Arthur Berger, “Botz-4-sale:
Surviving organized ddos attacks that mimic flash crowds,” in NSDI’05.
[36] A. Stavrou, “Websos: An overlay-based system for protecting web servers from
denial of service attacks,” 2005.
[37] Philip Brighten Godfrey, “Text-based captcha algorithms,” First Workshop on Human Interactive Proofs, 2002.
[38] Christiane Fellbaum Derek Gross George A. Miller, Richard Beckwith and
Katherine Miller,
“Introduction to wordnet: An on-line lexical database,”
http://www.cogsci.princeton.edu/w̃n/5papers.ps, Aug 1993.
[39] Anand Kashyap, “Low-bandwidth turing test for ddos attack prevention,” Tech.
Rep., Stony Brook Univerity, 2006.
[40] Mark B. Johnson T. Croall J. Thomas, R., “Netbouncer: Client-legitimacy-based
highperformance ddos filtering,” in Proceedings of DISCEX III, 2003.
[41] A. Juels and J. Brainard, “Client puzzles: A cryptographic countermeasure against
connection depletion attacks,” in Proceedings of NDSS 1999.
[42] “Natural language processing,” http://en.wikipedia.org/wiki/Natural language processing.
38