Mitigating application-level denial of service attacks on Web servers: A client-transparent approach

Authors:
Mudhakar Srivatsa;Arun Iyengar;Jian Yin;Ling Liu
Affiliations:
IBM T. J. Watson Research Center, Yorktown, NY;IBM T. J. Watson Research Center, Yorktown, NY;IBM T. J. Watson Research Center, Yorktown, NY;Georgia Institute of Technology, Atlanta, GA
Venue:
ACM Transactions on the Web (TWEB)
Year:
2008

Citing 16
Cited 3

Core-stateless fair queueing: achieving approximately fair bandwidth allocations in high speed networks

Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites

Proceedings of the 11th international conference on World Wide Web
Session-Based Admission Control: A Mechanism for Peak Load Management of Commercial Web Sites

IEEE Transactions on Computers
Sustaining Availability of Web Services under Distributed Denial of Service Attacks

IEEE Transactions on Computers
Improving Search in Peer-to-Peer Networks

ICDCS '02 Proceedings of the 22 nd International Conference on Distributed Computing Systems (ICDCS'02)
New client puzzle outsourcing techniques for DoS resistance

Proceedings of the 11th ACM conference on Computer and communications security
Mitigating bandwidth-exhaustion attacks using congestion puzzles

Proceedings of the 11th ACM conference on Computer and communications security
A DoS-limiting network architecture

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
A Client-Transparent Approach to Defend Against Denial of Service Attacks

SRDS '06 Proceedings of the 25th IEEE Symposium on Reliable Distributed Systems
Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds

NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2
Using client puzzles to protect TLS

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Denial of service via algorithmic complexity attacks

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Building an application-aware IPsec policy system

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Enhancing a web-server cluster with quality of service mechanisms

PCC '02 Proceedings of the Performance, Computing, and Communications Conference, 2002. on 21st IEEE International
A middleware system for protecting against application level denial of service attacks

Middleware'06 Proceedings of the 7th ACM/IFIP/USENIX international conference on Middleware

Defense techniques for low-rate DoS attacks against application servers

Computer Networks: The International Journal of Computer and Telecommunications Networking
Real-time CBR-agent with a mixture of experts in the reuse stage to classify and detect DoS attacks

Applied Soft Computing
Detection of HTTP-GET attack with clustering and information theoretic measurements

FPS'12 Proceedings of the 5th international conference on Foundations and Practice of Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Recently, we have seen increasing numbers of denial of service (DoS) attacks against online services and Web applications either for extortion reasons or for impairing and even disabling the competition. These DoS attacks have increasingly targeted the application level. Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as those of legitimate clients, thereby making the attacks much harder to detect and counter. Moreover, such attacks often target bottleneck resources such as disk bandwidth, database bandwidth, and CPU resources. In this article, we propose handling DoS attacks by using a twofold mechanism. First, we perform admission control to limit the number of concurrent clients served by the online service. Admission control is based on port hiding that renders the online service invisible to unauthorized clients by hiding the port number on which the service accepts incoming requests. Second, we perform congestion control on admitted clients to allocate more resources to good clients. Congestion control is achieved by adaptively setting a client's priority level in response to the client's requests in a way that can incorporate application-level semantics. We present a detailed evaluation of the proposed solution using two sample applications: Apache HTTPD and the TPCW benchmark (running on Apache Tomcat and IBM DB2). Our experiments show that the proposed solution incurs low performance overhead and is resilient to DoS attacks.