LCS Publication Details
Publication Title: Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds
Publication Author: Kandula, Srikanth
Additional Authors: Dina Katabi, Matthias Jacob, Arthur Berger
LCS Document Number: MIT-LCS-TR-969
Publication Date: 10-22-2004
LCS Group: Networks and Mobile Systems
Additional URL:
Abstract:
Recent denial of service attacks are mounted by professionals using Botnets of tens of thousands of compromised machines. To circumvent detection, attackers are increasingly moving away from pure bandwidth oods to attacks that mimic the Web browsing behavior of a large number of clients, and target expensive higher-layer resources such as CPU, database and disk bandwidth. The resulting attacks are hard to defend against using standard techniques as the malicious requests differ from the legitimate ones in intent but not in content. We present the design and implementation of Kill- Bots, a kernel extension to protect Web servers against DDoS attacks that masquerade as ash crowds. Kill-Bots provides authentication using graphical tests but is different from other systems that use graphical tests. First, instead of authenticating clients based on whether they solve the graphical test, Kill-Bots uses the test to quickly identify the IP addresses of the attack machines. This allows it to block the malicious requests while allowing access to legitimate users who are unable or unwilling to solve graphical tests. Second, Kill-Bots sends a test and checks the client's answer without allowing unauthenticated clients access to sockets, TCBs, worker processes, etc. This protects the authentication mechanism from being DDoSed. Third, Kill-Bots combines authentication with admission control. As a result, it improves performance, regardless of whether the server overload is caused by DDoS or a true Flash Crowd. We have implemented Kill-Bots in the Linux kernel and evaluated it in the wide-area Internet using PlanetLab.
To obtain this publication:

To purchase a printed copy of this publication please contact MIT Document Services.