WebSOS: An overlay-based system for protecting web servers from denial of service attacks

Computer Networks

Volumn 48, Issue 5, 2005, Pages 781-807

  Stavrou, Angelos ^a   Cook, Debra L ^a   Morein, William G ^a   Keromytis, Angelos D ^a   Misra, Vishal ^a   Rubenstein, Dan ^a  

^a Columbia University in the City of New York ^*  (United States)

Author keywords

Denial of service; Graphic Turing Tests; Java; Network topology; Overlay networks; Reliability; Security; Security and protection; Web proxies

Indexed keywords

COMPUTER NETWORKS; COMPUTER SIMULATION; HUMAN COMPUTER INTERACTION; JAVA PROGRAMMING LANGUAGE; RELIABILITY; SECURITY OF DATA; SERVERS; TURING MACHINES; USER INTERFACES;

DENIAL OF SERVICE; GRAPHIC TURING TESTS; NETWORK TOPOLOGY; OVERLAY NETWORKS; SECURITY; SECURITY AND PROTECTION; WEB PROXIES;

WORLD WIDE WEB;

EID: 18844457631     PISSN: 13891286     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comnet.2005.01.005     Document Type: Article

References (77)

1. J. Ioannidis, S.M. Bellovin, Implementing pushback: router-based defense against DDoS attacks, in: Proceedings of the Network and Distributed System Security Symposium (NDSS), 2002
2. D. Dean, M. Franklin, A. Stubblefield, An algebraic approach to IP traceback, in: Proceedings of the Network and Distributed System Security Symposium (NDSS), 2001, p. 312
3. S. Savage, D. Wetherall, A. Karlin, and T. Anderson Network support for IP traceback ACM/IEEE Transactions on Networking 9 3 2001 226 237
4. A.D. Keromytis, V. Misra, D. Rubenstein, SOS: secure overlay services, in: Proceedings of ACM SIGCOMM, 2002, pp. 61-72
5. M.C. Benvenuto, A.D. Keromytis, EasyVPN: IPsec remote access made easy, in: Proceedings of the 17th USENIX Systems Administration Conference (LISA), 2003, pp. 87-93
6. S. Dietrich, N. Long, D. Dittrich, Analyzing distributed denial of service tools: the shaft case, in: Proceedings of USENIX LISA XIV, 2000
7. J. Ioannidis, S. Ioannidis, A.D. Keromytis, V. Prevelakis, Fileteller: paying and getting paid for file storage, in: Proceeding of Financial Cryptography (FC) Conference, 2002, pp. 282-299
8. L. Peterson, D. Culler, T. Anderson, T. Roscoe, A blueprint for introducing disruptive technology into the Internet, in: Proceedings of the 1st Workshop on Hot Topics in Networks (HotNets-I), 2002. URL available from: < citeseer.nj.nec.com/peterson02blueprint.html >
9. S.A. Crosby, D.S. Wallach, Denial of service via algorithmic complexity attacks, in: Proceedings of the 12th USENIX Security Symposium, 2003, pp. 29-44
10. A.D. Keromytis, J. Parekh, P.N. Gross, G. Kaiser, V. Misra, J. Nieh, D. Rubenstein, S. Stolfo, A holistic approach to service survivability, in: Proceedings of the ACM Survivable and Self-Regenerative Systems Workshop, 2003, pp. 11-22
11. S. Kent, R. Atkinson, Security architecture for the Internet protocol, RFC 2401, IETF, November 1998. URL available from: < ftp://ftp.isi.edu/in- notes/rfc2401.txt >
12. CCITT, X.509: The Directory Authentication Framework, International Telecommunications Union, Geneva, 1989
13. S.M. Bellovin, Distributed firewalls, ;login: magazine, special issue on security, 1999, pp. 37-39
14. S. Ioannidis, A. Keromytis, S. Bellovin, J. Smith, Implementing a distributed firewall, in: Proceedings of Computer and Communications Security (CCS), 2000, pp. 190-199
15. I. Stoica, R. Morris, D. Karger, F. Kaashoek, H. Balakrishnan, Chord: a scalable peer-to-peer lookup service for Internet application, in: Proceedings of ACM SIGCOMM, 2001
16. D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, D. Lewin, Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the World Wide Web, in: Proceedings of ACM Symposium on Theory of Computing (STOC), 1997, pp. 654-663. URL available from: < citeseer.nj.nec.com/karger97consistent.html >
17. L. von Ahn, M. Blum, N.J. Hopper, J. Langford, CAPTCHA: using hard AI problems for security, in: Proceedings of EUROCRYPT, 2003
18. G. Mori, J. Malik, Recognizing objects in adversarial clutter: breaking a visual CAPTCHA, in: Computer Vision and Pattern Recognition CVPR'03, 2003
19. M. Blaze, J. Ioannidis, S. Ioannidis, A.D. Keromytis, P. Nikander, V. Prevelakis, TAPI: transactions for accessing public infrastructure, in: Proceedings of the 8th IFIP Personal Wireless Communications (PWC) Conference, 2003, pp. 90-10
20. M. Blaze, J. Feigenbaum, J. Ioannidis, A.D. Keromytis, The KeyNote Trust Management System Version 2, RFC 2704, September 1999
21. D. Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina, Generic routing encapsulation (GRE), RFC 2784, IETF, March 2000. URL available from: < http://www.rfc-editor.org/rfc/rfc2784.txt >
22. G. Dommety, Key and sequence number extensions to GRE, RFC 2890, IETF, September 2000. URL available from: < http://www.rfc-editor.org/rfc/rfc2890. txt >
23. L. Amini, H. Schulzrinne, A. Lazar, Observations from router-level Internet traces, in: DIMACSWorkshop on Internet and WWW Measurement, Mapping and Modeling, 2002
24. D. Moore, G. Voelker, S. Savage, Inferring Internet denial-of-service activity, in: Proceedings of the 10th USENIX Security Symposium, 2001, pp. 9-22
25. J.V.L. Blunk, PPP extensible authentication protocol (EAP), RFC 2284, IETF, March 1998. URL available from: < http://www.ietf.org/rfc/rfc2284.txt >
26. IEEE Draft P802.1X/D11: Standard for Port based Network Access Control, March 2001
27. P. Nikander, Authorization and charging in public lawns using freebased and 802.1x, in: Proceedings of the Annual USENIX Technical Conference, Freenix Track, 2002
28. N. Haller, C. Metz, P. Nesser, M. Straw, A one-time password system, RFC 2289, IETF, February 1998. URL available from: < http://www.ietf.org/rfc/ rfc2289.txt >
29. D. Cook, Analysis of Routing Algorithms for Secure Overlay Service, Computer Science Department Technical Report CUCS-010-02, Columbia University, April 2002. URL available from: < http://www.cs.columbia.edu/~library/TR- repository/reports/reports-2002/cucs-010-02.pdf >
30. S. Ratnasamy, P. Francis, M. Handley, R. Karp, S. Shenker, A scalable content-addressable network, in: Proceedings of ACM SIGCOMM, 2001
31. A. Cohen, S. Rangarajan, J.H. Slye, On the performance of TCP splicing for URLAware redirection, in: USENIX Symposium on Internet Technologies and Systems, 1999. URL available from: < citeseer.nj.nec.com/cohen99performance. html >
32. S. Miltchev, S. Ioannidis, A.D. Keromytis, A study of the relative costs of network security protocols, in: Proceedings of USENIX Annual Technical Conference, Freenix Track), 2002, pp. 41-48
33. A.D. Keromytis, J.L. Wright, T. de Raadt, The design of the OpenBSD cryptographic framework, in: Proceedings of the USENIX Annual Technical Conference, 2003, pp. 181-196
34. C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, Analysis of a denial of service attack on TCP, in: IEEE Security and Privacy Conference, 1997, pp. 208-223
35. L. Heberlein, M. Bishop, Attack class: address spoofing, in: Proceedings of the 19th National Information Systems Security Conference, 1996, pp. 371-377
36. S. Savage, N. Cardwell, D. Wetherall, and T. Anderson TCP congestion control with a misbehaving receiver ACM Computer Communications Review 29 5 1999 71 78
37. S. Savage, D. Wetherall, A. Karlin, T. Anderson, Practical network support for IP traceback, in: Proceedings of the 2000 ACM SIGCOMM Conference, 2000, pp. 295-306
38. M.T. Goodrich, Efficient packet marking for large-scale IP traceback, in: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), 2002, pp. 117-126
39. A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, W. Strayer, Hash-based IP traceback, in: Proceedings of ACM SIGCOMM, 2001
40. R. Stone, CenterTrack: an IP overlay network for tracking DoS floods, in: Proceedings of the USENIX Security Symposium, 2000
41. J. Li, M. Sung, J. Xu, L. Li, large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation, in: Proceedings of the IEEE Symposium on Security and Privacy, 2004
42. P. Reiher, J. Mirkovic, G. Prier, Attacking DDoS at the source, in: Proceedings of the 10th IEEE International Conference on Network Protocols, 2002
43. C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, R. Govindan, COSSACK: coordinated suppression of simultaneous attacks, in: Proceedings of DISCEX III, 2003, pp. 2-13
44. C. Jin, H. Wang, K.G. Shin, Hop-count filtering: an effective defense against spoofed dos traffic, in: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), 2003, pp. 30-41
45. A. Hussain, J. Heidemann, C. Papadopoulos, A framework for classifying denial of service attacks, in: Proceedings of ACM SIGCOMM, 2003, pp. 99-110
46. A. Yaar, A. Perrig, D. Song, Pi: a path identification mechanism to defend against DDoS attacks, in: Proceedings of the IEEE Symposium on Security and Privacy, 2003
47. M. Collins, M. Reiter, An empirical analysis of target-resident DoS filters, in: Proceedings of the IEEE Symposium on Security and Privacy, 2004
48. K. Park, H. Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets, in: Proceedings of ACM SIGCOMM, 2001, pp. 15-26
49. F. Kargl, J. Maier, M. Weber, Protecting web servers from distributed denial of service attacks, in: World Wide Web, 2001, pp. 514-524. URL available from: < citeseer.nj.nec.com/444367.html >
50. A. Stavrou, D. Rubenstein, and S. Sahu A lightweight robust P2P system to handle flash crowds IEEE Journal on Selected Areas in Communications (JSAC 22 1 2004 6 17
51. D.L. Cook, W.G. Morein, A.D. Keromytis, V. Misra, D. Rubenstein, WebSOS: protecting web servers from DDoS attacks, in: Proceedings of the 11th IEEE International Conference on Networks (ICON), 2003, pp. 455-460
52. W.G. Morein, A. Stavrou, D.L. Cook, A.D. Keromytis, V. Misra, D. Rubenstein, Using graphic turing tests to counter automated DDoS attacks against web servers, in: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), 2003, pp. 8-19
53. D.G. Andersen, Mayday: distributed filtering for Internet services, in: 4th USENIX Symposium on Internet Technologies and Systems USITS, 2003
54. V.D. Gligor, Guaranteeing access in spite of distributed service-flooding attacks, in: Proceedings of the Security Protocols Workshop, 2003
55. T. Anderson, T. Roscoe, D. Wetherall, Preventing internet denial-of-service with capabilities, in: Proceedings of the 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003
56. K. Lakshminarayanan, D. Adkins, A. Perrig, I. Stoica, Taming IP packet flooding attacks, in: Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), 2003
57. R. Thomas, B. Mark, T. Johnson, J. Croall, NetBouncer: client-legitimacy-based high-performance DDoS filtering, in: Proceedings of DISCEX III, 2003, pp. 14-25
58. A. Yaar, A. Perrig, D. Song, An endhost capability mechanism to mitigate DDoS flooding attacks, in: Proceedings of the IEEE Security and Privacy Symposium, 2004
59. W.J. Blackert, D.M. Gregg, A.K. Castner, E.M. Kyle, R.L. Hom, R.M. Jokerst, Analyzing interaction between distributed denial of service attacks and mitigation technologies, in: Proceedings of DISCEX III, 2003, pp. 26-36
60. D. Dean, A. Stubblefield, Using client puzzles to protect TLS, in: Proceedings of the 10th USENIX Security Symposium, 2001
61. X. Wang, M.K. Reiter, Defending against denial-of-service attacks with puzzle auctions (extended abstract), in: Proceedings of the IEEE Symposium on Security and Privacy, 2003
62. M. Blaze, J. Ioannidis, A.D. Keromytis, Offline micropayments without trusted hardware, in: Proceedings of the Fifth International Conference on Financial Cryptography, 2001, pp. 21-40
63. D. Chaum Achieving electronic privacy Scientific American 1992 96 101
64. D. Chaum, Blind signatures for untraceable payments, in: Advances in Cryptology: Crypto'82 Proceedings, Plenum Press, 1982
65. G. Medvinsky, C. Neuman, NetCash: a design for practical electronic currency on the internet, in: Proceedings of the Second ACM Conference on Computer and Communication Security, 1994
66. M. Bellare, J. Garay, C. Jutla, M. Yung, VarietyCash: a multi-purpose electronic payment system, in: Proceedings of the Third USENIX Workshop on Electronic Commerce, USENIX, 1998
67. T. Poutanen, H. Hinton, M. Stumm, NetCents: a lightweight protocol for secure micropayments, in: Proceedings of the Third USENIX Workshop on Electronic Commerce, USENIX, 1998
68. M.S. Manasse, The Millicent protocols for electronic commerce, in: Proceedings of the First USENIX Workshop on Electronic Commerce, USENIX, 1995
69. L. Tang, a set of protocols for micropayments in distributed systems, in: Proceedings of the First USENIX Workshop on Electronic Commerce, USENIX, 1995
70. C. Jutla, M. Yung, Paytree: amortized signature for flexible micropayments, in: Proceedings of the Second USENIX Workshop on Electronic Commerce, USENIX, 1996
71. R. Rivest, and A. Shamir PayWord and MicroMint CryptoBytes 2 1 1996 7 11
72. R. Hauser, M. Steiner, M. Waidner, Micro-payments based on ikp, in: Proceedings of the 14th Worldwide Congress on Computer and Communication Security Protection, 1996
73. A. Herzberg, Safeguarding Digital Library Contents, D-Lib Magazine
74. C. Neuman, G. Medvinsky, Requirements for network payment: The Netcheque prospective, in: Proceedings of IEEE COMCON, 1995
75. M. Bellare, J. Garay, A. Herzberg, H. Krawczyk, M. Steiner, G. Tsudik, M. Waidner, iKP-A family of secure electronic payment protocols, in: Proceedings of the First USENIX Workshop on Electronic Commerce, USENIX, 1995
76. E. Foo, and C. Boyd A payment scheme using vouchers Proceedings of the Second International Conference on Financial Cryptography Lecture Notes in Computer Science vol. 1465 1998 Springer-Verlag 103 121
77. B. Cox, D. Tygar, M. Sirbu, NetBill security and transaction protocol, in: Proceedings of the First USENIX Workshop on Electronic commerce, USENIX, 1995