2005 Articles
Countering DoS Attacks With Stateless Multipath Overlays
Indirection-based overlay networks (IONs) are a promising approach for countering distributed denial of service (DDoS) attacks. Such mechanisms are based on the assumption that attackers will attack a fixed and bounded set of overlay nodes causing service disruption to a small fraction of the users. In addition, attackers cannot eaves-drop on links inside the network or otherwise gain information that can help them focus their attacks on overlay nodes that are critical for specific communication flows. We develop an analytical model and a new class of attacks that considers both simple and advanced adversaries. We show that the impact of these simple attacks on IONs can severely disrupt communications. We propose a stateless spread-spectrum paradigm to create per-packet path diversity between each pair of end-nodes using a modified ION access protocol. Our system protects end-to-end communications from DoS attacks without sacrificing strong client authentication or allowing an attacker with partial connectivity information to repeatedly disrupt communications. Through analysis, we show that an Akamai-sized overlay can withstand attacks involving over 1.3M "zombie" hosts while providing uninterrupted end-to-end connectivity. By using packet replication, the system can resist attacks that render up to 40% of the nodes inoperable. Surprisingly, our experiments on PlanetLab demonstrate that in many cases end-to-end latency decreases when packet replication is used, with a worst-case increase by a factor of 2.5. Similarly, our system imposes less than 15% performance degradation in the end-to-end throughput, even when subjected to a large DDoS attack.
Subjects
Files
-
spread.pdf application/pdf 473 KB Download File
Also Published In
- Title
- CCS '05 : proceedings of the 12th ACM Conference on Computer and Communications Security : November 7-11, 2005, Alexandria, Virginia, USA
- Publisher
- ACM Press
- DOI
- https://doi.org/10.1145/1102120.1102153
More About This Work
- Academic Units
- Computer Science
- Published Here
- March 21, 2012