WebSOS: an overlay-based system for protecting web servers from denial of service attacks

Authors:
Angelos Stavrou;Debra L. Cook;William G. Morein;Angelos D. Keromytis;Vishal Misra;Dan Rubenstein
Affiliations:
Department of Computer Science, Columbia University in the City of New York, New York, NY, USA;Department of Computer Science, Columbia University in the City of New York, New York, NY, USA;Department of Computer Science, Columbia University in the City of New York, New York, NY, USA;Department of Computer Science, Columbia University in the City of New York, New York, NY, USA;Department of Computer Science, Columbia University in the City of New York, New York, NY, USA;Department of Computer Science, Columbia University in the City of New York, New York, NY, USA
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Year:
2005

Citing 45
Cited 7

NetCash: a design for practical electronic currency on the Internet

CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the World Wide Web

STOC '97 Proceedings of the twenty-ninth annual ACM symposium on Theory of computing
Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Implementing a distributed firewall

Proceedings of the 7th ACM conference on Computer and communications security
Protecting web servers from distributed denial of service attacks

Proceedings of the 10th international conference on World Wide Web
Hash-based IP traceback

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Chord: A scalable peer-to-peer lookup service for internet applications

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
A scalable content-addressable network

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Network support for IP traceback

IEEE/ACM Transactions on Networking (TON)
TCP congestion control with a misbehaving receiver

ACM SIGCOMM Computer Communication Review
Efficient packet marking for large-scale IP traceback

Proceedings of the 9th ACM conference on Computer and communications security
SOS: secure overlay services

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Attacking DDoS at the Source

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Authorization and Charging in Public WLANs Using FreeBSD and 802.1x

Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
A Study of the Relative Costs of Network Security Protocols

Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference
Offline Micropayments without Trusted Hardware

FC '01 Proceedings of the 5th International Conference on Financial Cryptography
A Payment Scheme Using Vouchers

FC '98 Proceedings of the Second International Conference on Financial Cryptography
Requirements for network payment: the NetCheque perspective

COMPCON '95 Proceedings of the 40th IEEE Computer Society International Conference
Defending Against Denial-of-Service Attacks with Puzzle Auctions

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Pi: A Path Identification Mechanism to Defend against DDoS Attacks

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A framework for classifying denial of service attacks

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Analysis of a Denial of Service Attack on TCP

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Using graphic turing tests to counter automated DDoS attacks against web servers

Proceedings of the 10th ACM conference on Computer and communications security
Hop-count filtering: an effective defense against spoofed DDoS traffic

Proceedings of the 10th ACM conference on Computer and communications security
A holistic approach to service survivability

Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security
Analyzing Distributed Denial of Service Tools: The Shaft Case

LISA '00 Proceedings of the 14th USENIX conference on System administration
EasyVPN: IPsec Remote Access Made Easy

LISA '03 Proceedings of the 17th USENIX conference on System administration
Centertrack: an IP overlay network for tracking DoS floods

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Using client puzzles to protect TLS

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Denial of service via algorithmic complexity attacks

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Mayday: distributed filtering for internet services

USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
On the performance of TCP splicing for URL-aware redirection

USITS'99 Proceedings of the 2nd conference on USENIX Symposium on Internet Technologies and Systems - Volume 2
VarietyCash: a multi-purpose electronic payment system

WOEC'98 Proceedings of the 3rd conference on USENIX Workshop on Electronic Commerce - Volume 3
NetCents: a lightweight protocol for secure micropayments

WOEC'98 Proceedings of the 3rd conference on USENIX Workshop on Electronic Commerce - Volume 3
NetBill security and transaction protocol

WOEC'95 Proceedings of the 1st conference on USENIX Workshop on Electronic Commerce - Volume 1
iKP: a family of secure electronic payment protocols

WOEC'95 Proceedings of the 1st conference on USENIX Workshop on Electronic Commerce - Volume 1
A set of protocols for micropayments in distributed systems

WOEC'95 Proceedings of the 1st conference on USENIX Workshop on Electronic Commerce - Volume 1
The millicent protocols for electronic commerce

WOEC'95 Proceedings of the 1st conference on USENIX Workshop on Electronic Commerce - Volume 1
Fileteller: paying and getting paid for file storage

FC'02 Proceedings of the 6th international conference on Financial cryptography
CAPTCHA: using hard AI problems for security

EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Recognizing objects in adversarial clutter: breaking a visual captcha

CVPR'03 Proceedings of the 2003 IEEE computer society conference on Computer vision and pattern recognition
Guaranteeing access in spite of distributed service-flooding attacks

Proceedings of the 11th international conference on Security Protocols
A lightweight, robust P2P system to handle flash crowds

IEEE Journal on Selected Areas in Communications

Quantifying Resistance to the Sybil Attack

Financial Cryptography and Data Security
On cellular botnets: measuring the impact of malicious devices on a cellular network core

Proceedings of the 16th ACM conference on Computer and communications security
A survey on the design, applications, and enhancements of application-layer overlay networks

ACM Computing Surveys (CSUR)
WDA: A Web farm Distributed Denial Of Service attack attenuator

Computer Networks: The International Journal of Computer and Telecommunications Networking
DTRAB: combating against attacks on encrypted protocols through traffic-feature analysis

IEEE/ACM Transactions on Networking (TON)
A multilayer overlay network architecture for enhancing IP services availability against dos

ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS defense

Journal of Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-centric interface, and the extensibility inherent in many browsers through downloadable ''applets.'' We guarantee access to a web server for a large number of previously unknown users, without requiring pre-existing trust relationships between users and the system, by using reverse Graphic Turing Tests. Furthermore, our system makes it easy for service providers to charge users, providing incentives to a commercial offering of the service. Users can dynamically decide whether to use the WebSOS overlay, based on the prevailing network conditions. Our prototype requires no modifications to either servers or browsers, and makes use of Graphical Turing Tests, web proxies, and client authentication using the SSL/TLS protocol, all readily supported by modern browsers. We then extend this system with a credential-based micropayment scheme that combines access control and payment authorization in one operation. Turing tests ensure that malicious code, such as a worm, cannot abuse a user's micropayment wallet. We use the WebSOS prototype to conduct a performance evaluation over the Internet using PlanetLab, a testbed for experimentation with network overlays. We determine the end-to-end latency using both a chord-based approach and our shortcut extension. Our evaluation shows the latency increase by a factor of 7 and 2 respectively, confirming our simulation results.