Mitigating application-level denial of service attacks on Web servers: A client-transparent approach

ACM Transactions on the Web

Volumn 2, Issue 3, 2008, Pages

  Srivatsa, Mudhakar ^a   Iyengar, Arun ^a   Yin, Jian ^a   Liu, Ling ^b  

^a IBM T J WATSON RESEARCH CENTER   (United States)

^b GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

Client transparency; DoS Attacks; Game theory; Web servers

Indexed keywords

ADMISSION CONTROL (AC); BOTTLENECK RESOURCES; CONGESTION CONTROL; CPU RESOURCES; DENIAL OF SERVICE (DOS) ATTACKS; DISK BANDWIDTH; DOS ATTACKS; INCOMING REQUESTS; ON-LINE SERVICES; PORT NUMBERS; TRAFFIC CHARACTERISTICS; WEB APPLICATIONS; WEB SERVERS;

COMPUTER CRIME; CONCURRENCY CONTROL; INFORMATION SCIENCE; INFORMATION THEORY; INTERNET; PORTS AND HARBORS; SECURITY OF DATA; SERVERS; TELECOMMUNICATION SYSTEMS; TRAFFIC CONGESTION; TRANSMISSION CONTROL PROTOCOL; WORLD WIDE WEB;

BENCHMARKING;

EID: 47249148481     PISSN: 15591131     EISSN: 1559114X     Source Type: Journal    
DOI: 10.1145/1377488.1377489     Document Type: Article

References (49)

1. APACHE. 2004. Apache tomcat servlet/JSP container. http://jakarta.apache.org/tomcat.
2. APACHE. 2005a. Apache HTTP server. http://httpd.apache.org.
3. APACHE. 2005b. Introduction to server side includes. http://httpd.apache.org/docs/howto/ssi.html.
4. BZERNSTEIN, D. J. 2005. SYN cookies. http://cr.yp.to/syncookies. html.
5. BLACK, D. RFC 2983: Differentiated services and tunnels. http://www.faqs.org/rfcs/rfc2983.html.
6. CARDELLINI, V., CASALICCHIO, E., COLAJANNI, M., AND MAMBELLI, M. 2002. Enhancing a Web server cluster with quality of service mechanisms. In Proceedings of 21st IEEE International Performance Computing and Communications Conference (IPCCC).
7. CERT. 2004. Incident note IN-2004-01 W32/Novarg.A virus.
8. CHANDRA, S., ELLIS, C. S., AND VAHDAT, A. 2000. Application-level differentiated multimedia Web services using quality aware transcoding. In Proc. IEEE (Special Issue on QoS in the Internet).
9. CHERKASOVA, L. AND PHAAL, P. 2002. Session based admission control: A mechanism for Web QoS. In wIEEE Trans. Comput.
10. CROSBY, S. A. AND WALLACH, D. S. 2003. Denial of service via algorithmic complexity attacks. In Proceedings of 12th USENIX Security Symposium. 29-44.
11. DARPA. 1981. RFC 793: Transmission control protocol. http://www.faqs.org/ rfcs/rfc793.html.
12. DIERKS, T. AND ALLEN, C. RFC 2246: The TLS protocol. http://www.ietf.org/rfc/rfc2246.txt.
13. EGEVANG, K. AND FRANCIS, P. 1994. RFC 1631: The IP network address translator (NAT). http://www.faqs.org/rfcs/rfc1631.html.
14. FERGUSON, R. AND SENIE, D. 1998. RFC 2267: Network ingressfiltering: Defeating denial of service attacks which employ IP source address spoofing. http://www.faqs.org/rfcs/rfc2267.html.
15. FIPS. Data encryption standard (DES). http://www.itl.nist.gov/fipspubs/ fip46-2.htm.
16. FIREFOX. 2005. Mozilla firefox Web browser. http://www.mozilla.org/products/firefox.
17. GOOGLE. Google mail. http://mail.google.com/.
18. GOOGLE. Google maps. http://maps.google.com/.
19. HALFBAKERY. Stateless TCP/IP server. http://www.halfbakery.com/ idea/Stateless 20TCP 2fIP 20server.
20. HARKINS, D. AND CARREL, D. 1998. RFC 2409: The Internet key exchange (IKE). http://www.faqs. org/rfcs/rfc2409.html.
21. IBM. 2005. DB2 universal database. http://www-306.ibm.com/software/data/ db2.
22. IYENGAR, A., RAMASWAMY, L., AND SCHROEDER, B. 2005. Web content delivery. In Techniques for Efficiently Serving and Caching Dynamic Web Content, X. Tang, J. Xu, and S. Chanson Ed., Springer.
23. JUELS, A. AND BRAINARD, J. 1999. Client puzzle: A cryptographic defense against connection depletion attacks. In Proceedings of Networks and Distributed Systems Security Symposium (NDSS).
24. JUNG, J., KRISHNAMURTHY, B., AND RABINOVICH, M. 2002. Flash crowds and denial of service attacks: Characterization and implications for CDNS and Web sites. In Proceedings of 11th World Wide Web Conference (WWW'02).
25. KANDULA, S., KATABI, D., JACOB, M., AND BERGER, A. 2005. Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of 2nd USENIX Symposium on Networked Systems Design and Implementation (NSDI).
26. KENT, S. 1998. RFC 2401: Secure architecture for the Internet protocol. http://www.ietf.org/rfc/ rfc2401.txt.
27. LEYDEN, J. 2003. East European gangs in online protection racket. www.theregister.co.uk/2003/ 11/12/east-european-gangs-in-online/.
28. NETFILTER. Netfilter/IPTables project homepage. http://www.netfilter.org/.
29. NETSCAPE. Javascript language specification. http://wp.netscape.com/eng/javascript/.
30. NICHOLS, K., BLAKE, S., BAKER, F., AND BLACK, D. RFC 2474: Definition of the differentiated services field (DS field) in the IPv4 and IPv6 headers. http://www.faqs.org/ rfcs/rfc2474.html.
31. NIST. AES: Advanced encryption standard. http://csrc.nist.gov/ CryptoToolkit/aes/.
32. OPENSSL. Openssl. http://www.openssl.org/.
33. PHARM. 2000. Java TPCW implementation distribution. http://www.ece.wisc. edu/ pharm/tpcw. shtml.
34. POULSEN, K. 2004. FBI busts alleged ddos mafia. www.securityfocus.com/news/9411.
35. SAVAGE, S., WETHERALL, D., KARLIN, A., AND ANDERSON, T. 2000. Practical network support for IP traceback. In Proceedings of ACM SIGCOMM.
36. SHA1. 2001. US secure hash algorithm I. http://www.ietf.org/rfc/rfc3174. txt.
37. SIRIS, V. A. AND PAPAGALOU, F. 2004. Application of anomaly detection algorithms for detecting SYN flooding attacks. In Proceedings of IEEE Global Telecommunications Conference (GLOBECOM).
38. S RIVATSA, M., IYENGAR, A., YIN, J., AND LIU, L. 2006a. A client-transparent approach to defend against denial of service attacks. In Proceedings of the 25th IEEE Symposium on Reliable Distributed Systems (SRDS).
39. SRIVATSA, M., IYENGAR, A., YIN, J., AND LIU, L. 2006b. A middleware system for protecting against application level denial of service attacks. In Proceedings of the 7th ACM/IFIP/USENIX Middleware Conference.
40. STOICA, I., SHENKER, S., AND ZHANG, H. 1998. Core-stateless fair queuing: A scalable architecture to approximate fair bandwidth allocations in high speed networks. In Proceedings of ACM SIGCOMM.
41. STUBBLEFIELD, A. AND DEAN, D. 2001. Using client puzzles to protect TLS. In Proceedings of the USENIX Security Symposium.
42. TPC. 2000. TPCW: Transactional e-commerce benchmark. http://www.tpc.org/ tpcw.
43. WANG, X. AND REITER, M. K. 2004. Mitigating bandwidth-exhaustion attacks using congestion puzzles. In Proceedings of 11th ACM Computer and Communications Security Conference (CCS).
44. WATERS, B., JUELS, A., HALDERMAN, A., AND FELTEN, E. W. 2004. New client puzzle outsourcing techniques for DoS resistance. In Proceedings of 11th ACM Computer and Communications Security Conference (CCS).
45. WEI,C.K. 2005. AJAX:Asynchronous Java+XML. http://www.developer. com/design/article.php/ 3526681.
46. XU, J. AND LEE, W. 2003. Sustaining availability of Web services under distributed denial of service attacks. In IEEE Trans. Comput. 52, 2, 195-208.
47. YANG, B. AND GARCIA-MOLINA, H. 2002. Improving search in peer-to-peer networks. In Proceedings of the IEEE 22nd International Conference on Distributed Computer Systems (ICDCS'03).
48. YANG, X., WETHERALL, D., AND ANDERSON, T. 2005. A DoS-limiting network architecture. In Proceedings of ACM SIGCOMM.
49. YIN, H. AND WANG, H. 2005. Building an application-aware IPSec policy system. In Proceedings of the USENIX Security Symposium.