Title:
Sustaining Availability of Web Services under Severe Denial of Service Attacks
Sustaining Availability of Web Services under Severe Denial of Service Attacks
Author(s)
Xu, Jun
Advisor(s)
Editor(s)
Collections
Supplementary to
Permanent Link
Abstract
Denial of service (DoS) is one of the most difficult security problems to
address. While most existing techniques (e.g., IP traceback) focus on
tracing the location of the attackers after-the-fact, little is done on how
to mitigate the effect of an attack while it is raging on. We design a
system that can sustain the availability of web services during severe DoS
attacks. We observe that one of the major difficulties in doing this is
that packets sent by attackers (bad traffic) can be completely
indistinguishable from packets sent by legitimate users (good traffic),
forcing a large percentage of good traffic to be dropped as a consequence.
We develop a protocol that can effectively separate these two types of
traffic in a statistical
sense, and this separation process is secure and robust against various
attacks. Therefore, by provisioning adequate resource (e.g., bandwidth) to
`good traffic'' separated by this process, we are able to provide fairly
good service to a large percentage of users even during severe DoS attacks.
For one example, during an attack where the incoming traffic rate is 5 times
as high as the link rate (i.e., 80 percent of traffic has to be dropped),
the system can continue to serve 59 percent of users, with only 39 percent
increase to average end-to-end download time of web pages. In comparison,
without such a defense, no user would receive any service due to the long
retransmission timeouts caused by the heavy packet loss. Our system and
protocol are completely compatible with HTTP (and HTTPS) protocols and do
not require any modification to web server or client software.
Sponsor
Date Issued
2001
Extent
330893 bytes
Resource Type
Text
Resource Subtype
Technical Report