Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds

Recent denial of service attacks are mounted by professionalsusing Botnets of tens of thousands of compromisedmachines. To circumvent detection, attackers areincreasingly moving away from pure bandwidth oods toattacks that mimic the Web browsing behavior of a largenumber of clients, and target expensive higher-layer resourcessuch as CPU, database and disk bandwidth. Theresulting attacks are hard to defend against using standardtechniques as the malicious requests differ from thelegitimate ones in intent but not in content.We present the design and implementation of Kill-Bots, a kernel extension to protect Web servers againstDDoS attacks that masquerade as ash crowds. Kill-Botsprovides authentication using graphical tests but is differentfrom other systems that use graphical tests. First,instead of authenticating clients based on whether theysolve the graphical test, Kill-Bots uses the test to quicklyidentify the IP addresses of the attack machines. Thisallows it to block the malicious requests while allowingaccess to legitimate users who are unable or unwillingto solve graphical tests. Second, Kill-Bots sends a testand checks the client's answer without allowing unauthenticatedclients access to sockets, TCBs, worker processes,etc. This protects the authentication mechanismfrom being DDoSed. Third, Kill-Bots combines authenticationwith admission control. As a result, it improvesperformance, regardless of whether the server overloadis caused by DDoS or a true Flash Crowd. We have implementedKill-Bots in the Linux kernel and evaluated itin the wide-area Internet using PlanetLab.