| Publication Title: |
Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds |
| Publication Author: |
Kandula, Srikanth |
| Additional Authors: |
Dina Katabi, Matthias Jacob, Arthur Berger |
| LCS Document Number: |
MIT-LCS-TR-969 |
| Publication Date: |
10-22-2004 |
| LCS Group: |
Networks and Mobile Systems |
| Additional URL: |
|
| Abstract: |
| Recent denial of service attacks are mounted by professionals
using Botnets of tens of thousands of compromised
machines. To circumvent detection, attackers are
increasingly moving away from pure bandwidth oods to
attacks that mimic the Web browsing behavior of a large
number of clients, and target expensive higher-layer resources
such as CPU, database and disk bandwidth. The
resulting attacks are hard to defend against using standard
techniques as the malicious requests differ from the
legitimate ones in intent but not in content.
We present the design and implementation of Kill-
Bots, a kernel extension to protect Web servers against
DDoS attacks that masquerade as ash crowds. Kill-Bots
provides authentication using graphical tests but is different
from other systems that use graphical tests. First,
instead of authenticating clients based on whether they
solve the graphical test, Kill-Bots uses the test to quickly
identify the IP addresses of the attack machines. This
allows it to block the malicious requests while allowing
access to legitimate users who are unable or unwilling
to solve graphical tests. Second, Kill-Bots sends a test
and checks the client's answer without allowing unauthenticated
clients access to sockets, TCBs, worker processes,
etc. This protects the authentication mechanism
from being DDoSed. Third, Kill-Bots combines authentication
with admission control. As a result, it improves
performance, regardless of whether the server overload
is caused by DDoS or a true Flash Crowd. We have implemented
Kill-Bots in the Linux kernel and evaluated it
in the wide-area Internet using PlanetLab. |
| To obtain this publication: |
|
|
|
To purchase a printed copy of this publication please contact
MIT
Document Services.
|