Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds
Recent denial of service attacks are mounted by professionalsusing Botnets of tens of thousands of compromisedmachines. To circumvent detection, attackers areincreasingly moving away from pure bandwidth oods toattacks that mimic the Web browsing behavior of a largenumber of clients, and target expe...
Main Authors: | , , , |
---|---|
Other Authors: | |
Language: | en_US |
Published: |
2005
|
Online Access: | http://hdl.handle.net/1721.1/30497 |
_version_ | 1811093350530416640 |
---|---|
author | Kandula, Srikanth Katabi, Dina Jacob, Matthias Berger, Arthur |
author2 | Networks and Mobile Systems |
author_facet | Networks and Mobile Systems Kandula, Srikanth Katabi, Dina Jacob, Matthias Berger, Arthur |
author_sort | Kandula, Srikanth |
collection | MIT |
description | Recent denial of service attacks are mounted by professionalsusing Botnets of tens of thousands of compromisedmachines. To circumvent detection, attackers areincreasingly moving away from pure bandwidth oods toattacks that mimic the Web browsing behavior of a largenumber of clients, and target expensive higher-layer resourcessuch as CPU, database and disk bandwidth. Theresulting attacks are hard to defend against using standardtechniques as the malicious requests differ from thelegitimate ones in intent but not in content.We present the design and implementation of Kill-Bots, a kernel extension to protect Web servers againstDDoS attacks that masquerade as ash crowds. Kill-Botsprovides authentication using graphical tests but is differentfrom other systems that use graphical tests. First,instead of authenticating clients based on whether theysolve the graphical test, Kill-Bots uses the test to quicklyidentify the IP addresses of the attack machines. Thisallows it to block the malicious requests while allowingaccess to legitimate users who are unable or unwillingto solve graphical tests. Second, Kill-Bots sends a testand checks the client's answer without allowing unauthenticatedclients access to sockets, TCBs, worker processes,etc. This protects the authentication mechanismfrom being DDoSed. Third, Kill-Bots combines authenticationwith admission control. As a result, it improvesperformance, regardless of whether the server overloadis caused by DDoS or a true Flash Crowd. We have implementedKill-Bots in the Linux kernel and evaluated itin the wide-area Internet using PlanetLab. |
first_indexed | 2024-09-23T15:43:33Z |
id | mit-1721.1/30497 |
institution | Massachusetts Institute of Technology |
language | en_US |
last_indexed | 2024-09-23T15:43:33Z |
publishDate | 2005 |
record_format | dspace |
spelling | mit-1721.1/304972019-04-11T06:23:34Z Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds Kandula, Srikanth Katabi, Dina Jacob, Matthias Berger, Arthur Networks and Mobile Systems Recent denial of service attacks are mounted by professionalsusing Botnets of tens of thousands of compromisedmachines. To circumvent detection, attackers areincreasingly moving away from pure bandwidth oods toattacks that mimic the Web browsing behavior of a largenumber of clients, and target expensive higher-layer resourcessuch as CPU, database and disk bandwidth. Theresulting attacks are hard to defend against using standardtechniques as the malicious requests differ from thelegitimate ones in intent but not in content.We present the design and implementation of Kill-Bots, a kernel extension to protect Web servers againstDDoS attacks that masquerade as ash crowds. Kill-Botsprovides authentication using graphical tests but is differentfrom other systems that use graphical tests. First,instead of authenticating clients based on whether theysolve the graphical test, Kill-Bots uses the test to quicklyidentify the IP addresses of the attack machines. Thisallows it to block the malicious requests while allowingaccess to legitimate users who are unable or unwillingto solve graphical tests. Second, Kill-Bots sends a testand checks the client's answer without allowing unauthenticatedclients access to sockets, TCBs, worker processes,etc. This protects the authentication mechanismfrom being DDoSed. Third, Kill-Bots combines authenticationwith admission control. As a result, it improvesperformance, regardless of whether the server overloadis caused by DDoS or a true Flash Crowd. We have implementedKill-Bots in the Linux kernel and evaluated itin the wide-area Internet using PlanetLab. 2005-12-22T02:14:46Z 2005-12-22T02:14:46Z 2004-10-22 MIT-CSAIL-TR-2004-066 MIT-LCS-TR-969 http://hdl.handle.net/1721.1/30497 en_US Massachusetts Institute of Technology Computer Science and Artificial Intelligence Laboratory 15 p. 27361453 bytes 1271267 bytes application/postscript application/pdf application/postscript application/pdf |
spellingShingle | Kandula, Srikanth Katabi, Dina Jacob, Matthias Berger, Arthur Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds |
title | Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds |
title_full | Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds |
title_fullStr | Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds |
title_full_unstemmed | Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds |
title_short | Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds |
title_sort | botz 4 sale surviving organized ddos attacks that mimic flash crowds |
url | http://hdl.handle.net/1721.1/30497 |
work_keys_str_mv | AT kandulasrikanth botz4salesurvivingorganizedddosattacksthatmimicflashcrowds AT katabidina botz4salesurvivingorganizedddosattacksthatmimicflashcrowds AT jacobmatthias botz4salesurvivingorganizedddosattacksthatmimicflashcrowds AT bergerarthur botz4salesurvivingorganizedddosattacksthatmimicflashcrowds |