Graph-theoretic analysis of structured peer-to-peer systems: routing distances and fault resilience
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
HPDC '01 Proceedings of the 10th IEEE International Symposium on High Performance Distributed Computing
BRITE: An Approach to Universal Topology Generation
MASCOTS '01 Proceedings of the Ninth International Symposium in Modeling, Analysis and Simulation of Computer and Telecommunication Systems
Simulating realistic network worm traffic for worm warning system design and testing
Proceedings of the 2003 ACM workshop on Rapid malcode
PlanetLab: an overlay testbed for broad-coverage services
ACM SIGCOMM Computer Communication Review
Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
Tolerating denial-of-service attacks using overlay networks: impact of topology
Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security
Realistic Large-Scale Online Network Simulation
Proceedings of the 2004 ACM/IEEE conference on Supercomputing
Traffic-based Load Balance for Scalable Network Emulation
Proceedings of the 2003 ACM/IEEE conference on Supercomputing
WebSOS: an overlay-based system for protecting web servers from denial of service attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Mayday: distributed filtering for internet services
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
A study of the performance potential of DHT-based overlays
USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
Understanding when location-hiding using overlay networks is feasible
Computer Networks: The International Journal of Computer and Telecommunications Networking - Overlay distribution structures and their applications
Countering DoS attacks with stateless multipath overlays
Proceedings of the 12th ACM conference on Computer and communications security
A geographic directed preferential internet topology model
Computer Networks: The International Journal of Computer and Telecommunications Networking
Keeping Denial-of-Service Attackers in the Dark
IEEE Transactions on Dependable and Secure Computing
Pollution attacks and defenses for Internet caching systems
Computer Networks: The International Journal of Computer and Telecommunications Networking
On attack causality in internet-connected cellular networks
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Understanding when location-hiding using overlay networks is feasible
Computer Networks: The International Journal of Computer and Telecommunications Networking - Overlay distribution structures and their applications
On cellular botnets: measuring the impact of malicious devices on a cellular network core
Proceedings of the 16th ACM conference on Computer and communications security
A survey on the design, applications, and enhancements of application-layer overlay networks
ACM Computing Surveys (CSUR)
Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS defense
Journal of Computer Security
| Hi-index | 0.00 |
Proxy networks have been proposed to protect applications from Denial-of-Service (DoS) attacks. However, since large-scale study in real networks is infeasible and most previous simulations have failed to capture detailed network behavior, the DoS resilience and performance implications of such use are not well understood in large networks. While post-mortems of actual large-scale attacks are useful, only limited dynamic behavior can be understood from these single instances. Our work provides the first detailed and broad study of this problem in large-scale realistic networks. The key is that we use an online network simulator to simulate a realistic large-scale network (comparable to several large ISPs). We use a generic proxy network, and deploy it in a large simulated network using typical real applications and DoS tools directly. We study detailed system dynamics under various attack scenarios and proxy network configurations. Specific results are as follows. First, rather than incurring a performance penalty, proxy networks can improve users' experienced performance. Second, proxy networks can effectively mitigate the impact of both spread and concentrated large-scale DoS attacks in large networks. Third, proxy networks provide scalable DoS-resilience - resilience can be scaled up to meet the size of the attack, enabling application performance to be protected. Resilience increases almost linearly with the size of a proxy network; that is, the attack traffic that a given proxy network can resist, while preserving a particular level of application performance, grows almost linearly with proxy network size. These results provide empirical evidence that proxy networks can be used to tolerate DoS attacks and quantitative guidelines for designing a proxy network to meet a resilience goal.