A Client-Transparent Approach to Defend Against Denial of Service Attacks

Authors:
Mudhakar Srivatsa;Arun Iyengar;Jian Yin;Ling Liu
Affiliations:
College of Computing, Georgia Institute of Technology, Atlanta, GA 30332, USA;IBM T. J. Watson Research Center, Yorktown Heights, NY 10598, USA;IBM T. J. Watson Research Center, Yorktown Heights, NY 10598, USA;College of Computing, Georgia Institute of Technology, Atlanta, GA 30332, USA
Venue:
SRDS '06 Proceedings of the 25th IEEE Symposium on Reliable Distributed Systems
Year:
2006

Citing 0
Cited 3

Mitigating application-level denial of service attacks on Web servers: A client-transparent approach

ACM Transactions on the Web (TWEB)
Information security of patient-centred services utilising the german nationwide health information technology infrastructure

HealthSec'12 Proceedings of the 3rd USENIX conference on Health Security and Privacy
A methodology to counter DoS attacks in mobile IP communication

Mobile Information Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Denial of Service (DoS) attacks attempt to consume a server's resources (network bandwidth, computing power, main memory, disk bandwidth etc) to near exhaustion so that there are no resources left to handle requests from legitimate clients. An effective solution to defend against DoS attacks is to filter DoS attack requests at the earliest point (say, the web site's firewall), before they consume much of the server's resources. Most defenses against DoS attacks attempt to filter requests from inauthentic clients before they consume much of the server's resources. Client authentication using techniques like IPSec or SSL may often require changes to the client-side software and may additionally require superuser privileges at the client for deployment. Further, using digital signatures (as in SSL) makes verification very expensive, thereby making the verifi- cation process itself a viable DoS target for the adversary. In this paper, we propose a light-weight client transparent technique to defend against DoS attacks with two unique features: (i) Our technique can be implemented entirely using JavaScript support provided by a standard client-side browser like Mozilla FireFox or Microsoft Internet Explorer. Client transparency follows from the fact that: (i) no changes to client-side software are required, (ii) no client-side superuser privileges are required, and (iii) clients (human beings or automated clients) can browse a DoS protected website in the same manner that they browse other websites. (ii) Although we operate using the client-side browser (HTTP layer), our technique enables fast IP level packet filtering at the server's firewall and requires no changes to the application(s) hosted by the web server. In this paper we present a detailed design of our technique along with a detailed security analysis. We also describe a concrete implementation of our proposal on the Linux kernel and present an evaluation using two applications: bandwidth intensive Apache HTTPD and database intensive TPCW. Our experiments show that our approach incurs a low performance overhead and is resilient to DoS attacks.