Abstract
This article presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth so can react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidths, which is the intended result.
- Abadi, M., Burrows, M., Manasse, M., and Wobber, T. 2005. Moderately hard, memory-bound functions. ACM Trans. Inter. Tech. 5, 2. Google Scholar
Digital Library
- Agarwal, S., Dawson, T., and Tryfonas, C. 2003. DDoS mitigation via regional cleaning centers. Sprint ATL Res. rep. RR04-ATL-013177.Google Scholar
- Anderson, T., Roscoe, T., and Wetherall, D. 2003. Preventing Internet denial-of-service with capabilities. In Proceedings of the ACM Workshop on Hot Topics in Networks (HotNets).Google Scholar
- Aura, T., Nikander, P., and Leiwo, J. 2000. DoS-resistant authentication with client puzzles. In Proceedings of the International Workshop on Security Protocols. Google Scholar
Digital Library
- Back, A. 2002. Hashcash—a denial of service counter-measure. http://www.cypherspace.org/adam/hashcash/hashcash.pdf.Google Scholar
- Balakrishnan, H., Rahul, H. S., and Seshan, S. 1999. An integrated congestion management architecture for Internet hosts. In Proceedings of the ACM SIGCOMM Conference. Google Scholar
Digital Library
- Banga, G., Druschel, P., and Mogul, J. C. 1999. Resource containers: A new facility for resource management in server systems. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). Google Scholar
Digital Library
- Boothe, P., Hiebert, J., and Bush, R. 2006. Short-lived prefix hijacking on the Internet. Presentation to nanog. http://www.nanog.org/mtg-0602/pdf/boothe.pdf.Google Scholar
- Brown, D. 2006. Gangsters hijack home PCs to choke internet with spam. The Times. http://business.timesonline.co.uk/tol/business/law/public_law/article649541.ece.Google Scholar
- CNET News. 2005. Bots slim down to get tough. http://news.com.com/Bots+slim+down+to+get+tough/2100-7355_3-5956143.html.Google Scholar
- Cooke, E., Jahanian, F., and McPherson, D. 2005. The zombie roundup: Understanding, detecting and disrupting botnets. In Proceedings of the USENIX Conference on Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI). Google Scholar
Digital Library
- cyberslam. 2004. Criminal complaint filed Aug. 25, 2004, United States v. Ashley et al., No. 04 mj 02112 (Central District of California). http://www.reverse.net/operationcyberslam.pdf.Google Scholar
- Dagon, D., Zou, C., and Lee, W. 2006. Modeling botnet propagation using time zones. In Proceedings of the Conference on Network and Distributed System Security Symposium (NDSS).Google Scholar
- Dean, D. and Stubblefield, A. 2001. Using client puzzles to protect TLS. In Proceedings of the USENIX Security Symposium. Google Scholar
Digital Library
- Demers, A., Keshav, S., and Shenker, S. 1995. Analysis and simulation of a fair queuing algorithm. ACM SIGCOMM Comput. Comm. Rev. 25, 1.Google Scholar
- Douceur, J. 2002. The sybil attack. In Proceedings of the International Workshop on Peer-to-Peer Systems (IPTPS). Google Scholar
Digital Library
- Dwork, C., Goldberg, A., and Naor, M. 2003. On memory-bound functions for fighting spam. In Proceedings of CRYPTO.Google Scholar
- Dwork, C. and Naor, M. 1992. Pricing via processing or combatting junk mail. In Proceedings of CRYPTO. Google Scholar
Digital Library
- eWEEK. 2006. Money bots: Hackers cash in on hijacked PCs. http://www.eweek.com/article2/0,1895,2013957,00.asp.Google Scholar
- Falk, E. 2006. New host cloaking technique used by spammers. http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-by.html.Google Scholar
- Feamster, N., Jung, J., and Balakrishnan, H. 2005. An empirical study of “bogon” route advertisements. ACM SIGCOMM Comput. Comm. Rev. 35, 1. Google Scholar
Digital Library
- Feng, W. 2003. The case for TCP/IP puzzles. In Proceedings of the ACM SIGCOMM Workshop on Future Directions in Network Architecture. Google Scholar
Digital Library
- Fraleigh, C., Moon, S., Lyles, B., Cotton, C., Khan, M., Moll, D., Rockell, R., Seely, T., and Diot, C. 2003. Packet-level traffic measurements from the Sprint IP backbone. IEEE Netw. 17, 6. Google Scholar
Digital Library
- Freiling, F. C., Holz, T., and Wicherski, G. 2005. Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In Proceedings of the European Symposium on Research in Computer Security (ESORICS). Google Scholar
Digital Library
- Gligor, V. D. 2003. Guaranteeing access in spite of distributed service-flooding attacks. In Proceedings of the International Workshop on Security Protocols. Google Scholar
Digital Library
- Google Captcha. 2005. Stupid Google virus/spyware captcha page. http://plo.hostingprod.com/@spyblog.org.uk/blog/2005/06/13/stupid-google-virusspyware-cap.html.Google Scholar
- Gunter, C. A., Khanna, S., Tan, K., and Venkatesth, S. 2004. DoS protection for reliably authenticated broadcast. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Handley, M. 2005. In a presentation to Internet architecture working group, DoS-resistant Internet subgroup.Google Scholar
- Handley, M. and Greenhalgh, A. 2004. Steps towards a DoS-resistant Internet architecture. In Proceedings of the ACM SIGCOMM Workshop on Future Directions in Network Architecture. Google Scholar
Digital Library
- Honeynet Project and Research Alliance. 2005. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots/.Google Scholar
- Juels, A. and Brainard, J. 1999. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of the Conference on Network and Distributed System Security Symposium (NDSS).Google Scholar
- Kandula, S., Katabi, D., Jacob, M., and Berger, A. 2005. Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI). Google Scholar
Digital Library
- Knuth, D. E. 1998. The Art of Computer Programming 3rd Ed., Vol. 2. Addison-Wesley, Chapter 3.4.2.Google Scholar
- Kohler, E., Handley, M., and Floyd, S. 2006. Designing DCCP: Congestion control without reliability. In Proceedings of the ACM SIGCOMM Conference. Google Scholar
Digital Library
- Krohn, M. 2004. Building secure high-performance Web services with OKWS. In Proceedings of the USENIX Technical Conference. Google Scholar
Digital Library
- Laurie, B. and Clayton, R. 2004. “Proof-of-Work” proves not to work; version 0.2. http://www.cl.cam.ac.uk/users/rnc1/proofwork2.pdf.Google Scholar
- Lyon, B. 2006. Private communication.Google Scholar
- Mahimkar, A., Dange, J., Shmatikov, V., Vin, H., and Zhang, Y. 2007. dFence: Transparent network-based denial of service mitigation. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI). Google Scholar
Digital Library
- Mankins, D., Krishnan, R., Boyd, C., Zao, J., and Frentz, M. 2001. Mitigating distributed denial of service attacks with dynamic resource pricing. In Proceedings of the IEEE Computer Security Applications Conference. Google Scholar
Digital Library
- Mazières, D. 2001. A toolkit for user-level file systems. In Proceedings of the USENIX Technical Conference. Google Scholar
Digital Library
- McLaughlin, L. 2004. Bot software spreads, causes new worries. IEEE Distrib. Syst. Online 5, 6. http://csdl2.computer.org/comp/mags/ds/2004/06/o6001.pdf. Google Scholar
Digital Library
- McPherson, D. and Labovitz, C. 2006. Worldwide infrastructure security report, vol. II. Arbor Networks, Inc. http://www.arbor.net/downloads/worldwide_infrastructure_security_report_sept06.pdf.Google Scholar
- Mirkovic, J. and Reiher, P. 2004. A taxonomy of DDoS attacks and DDoS defense mechanisms. ACM SIGCOMM Comput. Comm. Rev. 34, 2. Google Scholar
Digital Library
- Morein, W., Stavrou, A., Cook, D., Keromytis, A., Mishra, V., and Rubenstein, D. 2003. Using graphic Turing tests to counter automated DDoS attacks against Web servers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google Scholar
Digital Library
- Network World. 2005. Extortion via DDoS on the rise. http://www.networkworld.com/news/2005/051605-ddos-extortion.html.Google Scholar
- Park, K., Pai, V. S., Lee, K.-W., and Calo, S. 2006. Securing Web service by automatic robot detection. In Proceedings of the USENIX Technical Conference. Google Scholar
Digital Library
- Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., and Hu, Y.-C. 2007. Portcullis: Protecting connection setup from denial-of-capability attacks. In Proceedings of the ACM SIGCOMM Conference. Google Scholar
Digital Library
- Pittsburgh Post-Gazette. 2003. CMU student taps brain's game skills. http://www.post-gazette.com/pg/03278/228349.stm.Google Scholar
- Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2006. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the ACM Internet Measurement Conference (IMC). Google Scholar
Digital Library
- Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2007. My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). http://www.usenix.org/events/hotbots07/tech/full_papers/rajab/rajab.pdf. Google Scholar
Digital Library
- Ramachandran, A. and Feamster, N. 2006. Understanding the network-level behavior of spammers. In Proceedings of the ACM SIGCOMM Conference. Google Scholar
Digital Library
- Ramasubramanian, V. and Sirer, E. G. 2004. The design and implementation of a next generation name service for the Internet. In Proceedings of the ACM SIGCOMM Conference. Google Scholar
Digital Library
- Ranjan, S., Swaminathan, R., Uysal, M., and Knightly, E. W. 2006. DDoS-resilient scheduling to counter application layer attacks under imperfect detection. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Society.Google Scholar
- Ratliff, E. 2005. The zombie hunters. The New Yorker.Google Scholar
- Register. 2003. East European gangs in online protection racket. http://www.theregister.co.uk/2003/11/12/east_european_gangs_in_online.Google Scholar
- Rhea, S., Godfrey, B., Karp, B., Kubiatowicz, J., Ratnasamy, S., Shenker, S., Stoica, I., and Yu, H. 2005. OpenDHT: A public DHT service and its uses. In Proceedings of the ACM SIGCOMM Conference. Google Scholar
Digital Library
- SecurityFocus. 2004. FBI busts alleged DDoS mafia. http://www.securityfocus.com/news/9411.Google Scholar
- Sekar, V. 2007. Private communication.Google Scholar
- Sekar, V., Duffield, N., Spatscheck, O., van der Merwe, J., and Zhang, H. 2006. LADS: Large-scale automated DDoS detection system. In Proceedings of the USENIX Technical Conference. Google Scholar
Digital Library
- Sherr, M., Greenwald, M., Gunter, C. A., Khanna, S., and Venkatesh, S. S. 2005. Mitigating DoS attack through selective bin verification. In Proceedings of the 1st Workshop on Secure Network Protocols. Google Scholar
Digital Library
- Singh, K. K. 2006. Botnets—An introduction. Course Project, CS6262, Georgia Institute of Technology. http://www-static.cc.gatech.edu/classes/AY2006/cs6262_spring/botnets.ppt.Google Scholar
- Srivatsa, M., Iyengar, A., Yin, J., and Liu, L. 2006. A middleware system for protecting against application level denial of service attacks. In Proceedings of the ACM/IFIP/USENIX International Middleware Conference. Google Scholar
Digital Library
- Stavrou, A., Ioannidis, J., Keromytis, A. D., Misra, V., and Rubenstein, D. 2004. A pay-per-use DoS protection mechanism for the Web. In Proceedings of the International Conference on Applied Cryptography and Network Security.Google Scholar
- Sturgeon, W. 2005. Denial of service attack victim speaks out. http://management.silicon.com/smedirector/0,39024679,39130810,00.htm.Google Scholar
- TechWeb News. 2005. Dutch botnet bigger than expected. http://informationweek.com/story/showArticle.jhtml?articleID=172303265.Google Scholar
- Thomas, D. 2005. Deterrence must be the key to avoiding DDoS attacks. http://www.vnunet.com/computing/analysis/2137395/deterrence-key-avoiding-ddos-attacks.Google Scholar
- Vasudevan, R., Mao, Z. M., Spatscheck, O., and van der Merwe, J. 2006. Reval: A tool for real-time evaluation of DDoS mitigation strategies. In Proceedings of the USENIX Technical Conference. Google Scholar
Digital Library
- Vitter, J. S. 1985. Random sampling with a reservoir. ACM Trans. Math. Softw. 11, 1. Google Scholar
Digital Library
- von Ahn, L., Blum, M., and Langford, J. 2004. Telling humans and computers apart automatically. Comm. ACM 47, 2. Google Scholar
Digital Library
- Walfish, M., Balakrishnan, H., Karger, D., and Shenker, S. 2005. DoS: Fighting fire with fire. In Proceedings of the ACM Workshop on Hot Topics in Networks (HotNets).Google Scholar
- Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., and Shenker, S. 2006. DDoS defense by offense. In Proceedings of the ACM SIGCOMM Conference. Google Scholar
Digital Library
- Wang, X. and Reiter, M. K. 2007. A multi-layer framework for puzzle-based denial-of-service defense. Int. J. Inform. Secur. Forthcoming and published online http://dx.doi.org/10.1007/s10207-007-0042-x. Google Scholar
Digital Library
- Waters, B., Juels, A., Halderman, J. A., and Felten, E. W. 2004. New client puzzle outsourcing techniques for DoS resistance. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google Scholar
Digital Library
- Weber, L. 2007a. Wikimedia request statistics. http://tools.wikimedia.de/~leon/stats/reqstats.Google Scholar
- Weber, L. 2007b. Wikimedia traffic statistics. http://tools.wikimedia.de/~leon/stats/trafstats.Google Scholar
- Yaar, A., Perrig, A., and Song, D. 2004. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Yang, X., Wetherall, D., and Anderson, T. 2005. A DoS-limiting network architecture. In Proceedings of the ACM SIGCOMM Conference. Google Scholar
Digital Library
Index Terms
DDoS defense by offense
Recommendations
DDoS defense by offense
SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communicationsThis paper presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that ...
DDoS defense by offense
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communicationsThis paper presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that ...
Using Adaptive Bandwidth Allocation Approach to Defend DDoS Attacks
MUE '08: Proceedings of the 2008 International Conference on Multimedia and Ubiquitous EngineeringDenial of service attacks occur when the attacks are from a single host, whereas distributed denial of service attacks occur when multiple affected systems flood the bandwidth or resources of a targeted system. Although it is not possible to exempt ...








Comments