IEEE/ACM Transactions on Networking (TON)
Generating representative Web workloads for network and server performance evaluation
SIGMETRICS '98/PERFORMANCE '98 Proceedings of the 1998 ACM SIGMETRICS joint international conference on Measurement and modeling of computer systems
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
Proceedings of the 11th international conference on World Wide Web
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Behavioral Model of Web Traffic
ICNP '99 Proceedings of the Seventh Annual International Conference on Network Protocols
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
DDoS attacks and defense mechanisms: classification and state-of-the-art
Computer Networks: The International Journal of Computer and Telecommunications Networking
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
Mitigating bandwidth-exhaustion attacks using congestion puzzles
Proceedings of the 11th ACM conference on Computer and communications security
A DoS-limiting network architecture
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Misbehaving TCP receivers can cause internet-wide congestion collapse
Proceedings of the 12th ACM conference on Computer and communications security
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds
NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2
MULTOPS: a data-structure for bandwidth attack detection
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Reval: a tool for real-time evaluation of DDoS mitigation strategies
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
A middleware system for protecting against application level denial of service attacks
Proceedings of the ACM/IFIP/USENIX 2006 International Conference on Middleware
WebSOS: an overlay-based system for protecting web servers from denial of service attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
dfence: transparent network-based denial of service mitigation
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
SOS: an architecture for mitigating DDoS attacks
IEEE Journal on Selected Areas in Communications
Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks
IEEE Transactions on Parallel and Distributed Systems
Detecting SYN flooding attacks based on traffic prediction
Security and Communication Networks
On the exploitation of CDF based wireless scheduling
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
Distributed Denial Of Service (DDoS) attacks are familiar threats to Internet users for more than 10years. Such attacks are carried out by a ''bot-net'', an army of zombie hosts spread around the Internet, that overwhelm the bandwidth toward their victim Web server, by sending traffic upon command. This paper introduces WDA, a novel architecture to attenuate the DDoS attacker's bandwidth. WDA is especially designed to protect Web farms. WDA is asymmetric and only monitors and protects the uplink toward the Web farm, which is the typical bottleneck in DDoS attacks. Legitimate traffic toward Web farms is very distinctive since it is produced by humans using Web-browsing software. Specifically, such upload traffic has low volume, and more importantly, has long off times that correspond to human view time. WDA utilizes these properties of legitimate client traffic to distinguish it from attack traffic, which tends to be continuous and heavy. A key feature of WDA is in its use of randomized thresholds that trap and penalize deterministic zombie traffic that tries to mimic human client patterns. WDA's heart is WDAQ, a novel active queue management mechanism aimed to prefer legitimate client traffic over attacker traffic. With WDA installed, the attacker traffic toward the victim is attenuated. Extensive simulation results show that WDA can defeat simple flooding attacks, and can attenuate the bandwidth usable by sophisticated WDA-aware attacks by orders of magnitude. As a consequence, the attacker must increase his ''bot-net'' size by the same factor, to compensate for the effects of WDA. Our simulations show that WDA can defend a typical Web farm from DDoS attacks launched by hundreds of thousands zombies, while keeping legitimate clients' service degradation under 10%.