Abstract
Recently, we have seen increasing numbers of denial of service (DoS) attacks against online services and web applications either for extortion reasons, or for impairing and even disabling the competition. These DoS attacks have increasingly targeted the application level. Application level DoS attacks emulate the same request syntax and network level traffic characteristics as those of legitimate clients, thereby making the attacks much harder to be detected and countered. Moreover, such attacks usually target bottleneck resources such as disk bandwidth, database bandwidth, and CPU resources. In this paper we propose server-side middleware to counter application level DoS attacks. The key idea behind our technique is to adaptively vary a client’s priority level, and the relative amount of resources devoted to this client, in response to the client’s past requests in a way that incorporates application level semantics. Application specific knowledge is used to evaluate the cost and the utility of each request and the likelihood that a sequence of requests are sent by a malicious client. Based on the evaluations, a client’s priority level is increased or decreased accordingly. A client’s priority level is used by the server side firewall to throttle the client’s request rate, thereby ensuring that more server side resources are allocated to the legitimate clients. We present a detailed implementation of our approach on the Linux kernel and evaluate it using two sample applications: Apache HTTPD micro-benchmarks and TPCW. Our experiments show that our approach incurs low performance overhead and is resilient to application level DoS attacks.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Netfilter/IPTables project homepage, http://www.netfilter.org/
Apache. Apache HTTP server, http://httpd.apache.org
Apache. Apache tomcat servlet/JSP container, http://jakarta.apache.org/tomcat
Bernstein, D.J.: SYN cookies (2005), http://cr.yp.to/syncookies.html
Cardellini, V., Casalicchio, E., Colajanni, M., Mambelli, M.: Enhancing a web server cluster with quality of service mechanisms. In: Proceedings of 21st IEEE IPCCC (2002)
CERT. Incident note IN-2004-01 W32/Novarg. A virus (2004)
Chandra, S., Ellis, C.S., Vahdat, A.: Application-level differentiated multimedia web services using quality aware transcoding. In: Proceedings of IEEE special issue on QoS in the Internet (2000)
Chen, H., Iyengar, A.: A tiered system for serving differentiated content. In: Proceedings of World Wide Web: Internet and Web Information Systems, vol. 6(4) (December 2003)
Cherkasova, L., Phaal, P.: Session based admission control: a mechanism for web QoS. In: Proceedings of IEEE Transactions on Computers (2002)
Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: Proceedings of 12th USENIX Security Symposium, pp. 29–44 (2003)
Dwork, C., Naor, M.: Pricing via Processing or Combatting Junk Mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993)
Egevang, K., Francis, P.: RFC 1631: The IP network address translator (NAT) (1994), http://www.faqs.org/rfcs/rfc1631.html
Ferguson, R., Senie, D.: RFC 2267: Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing (1998), http://www.faqs.org/rfcs/rfc2267.html
FireFox. Mozilla firefox web browser (2005), http://www.mozilla.org/products/firefox
fox, A., Gribble, S. D., Chawathe, Y., Brewer, E.A., gauthier, P.: Cluster-based scalable network services. In: Proceedings of 16th ACM SOSP (1997)
Google. Google mail, http://mail.google.com/
Google. Google maps, http://maps.google.com/
Halfbakery. Stateless TCP/IP server, http://www.halfbakery.com/idea/Stateless_20TCP_2fIP_20server
IBM. IBM network dispatcher features, http://www-3.ibm.com/software/network/about/features/keyfeatures.html
IBM. DB2 universal database (2005), http://www-306.ibm.com/software/data/db2
Iyengar, A., Ramaswamy, L., Schroeder, B.: Techniques for efficiently serving and caching dynamic web content. In: Tang, X., Xu, J., Chanson, S. (eds.) Web Content Delivery. Springer, Heidelberg (2005)
Juels, A., Brainard, J.: Client puzzle: A cryptographic defense against connection depletion attacks. In: Proceedings of NDSS (1999)
Jung, J., Krishnamurthy, B., rabinovich, M.: Flash crowds and denial of service attacks: Characterization and implications for cdns and web sites. In: Proceedings of 10th WWW Conference (2002)
Kandula, S., Katabi, D., Jacob, M., Berger, A.: Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In: Proceedings of 2nd USENIX NSDI (2005)
Kent, S.: RFC 2401: Secure architecture for the internet protocol (1998), http://www.ietf.org/rfc/rfc2401.txt
Keromytis, A., Misra, V., Rubenstein, D.: SOS: Secure overlay services. In: Proceedings of the ACM SIGCOMM (2002)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication (1997), http://www.faqs.org/rfcs/rfc2104.html
Leyden, J.: East european gangs in online protection racket, www.theregister.co.uk/2003/11/12/east-european-gangs-in-online/
Netscape. Javascript language specification, http://wp.netscape.com/eng/javascript/
OpenSSL: Openssl, http://www.openssl.org/
PHARM. Java TPCW implementation distribution (2000), http://www.ece.wisc.edu/~pharm/tpcw.shtml
Poulsen, K.: FBI busts alleged DDoS mafia (2004), www.securityfocus.com/news/9411
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proceedings of ACM SIGCOMM (2000)
Siris, V.A., Papagalou, F.: Application of anomaly detection algorithms for detecting SYN flooding attacks. In: Proceedings of IEEE Globecom (2004)
Stoica, I., Shenker, S., Zhang, H.: Core-stateless fair queuing: A scalable architecture to approximate fair bandwidth allocations in high speed networks. In: Proceedings of SIGCOMM (1998)
Stubblefield, A., Dean, D.: Using client puzzles to protect tls. In: Proceedings of 10th USENIX Security Symposium (2001)
TPC: TPCW: Transactional e-commerce benchmark (2000), http://www.tpc.org/tpcw
W3Schools. Browser statistics, http://www.w3schools.com/browsers/browsers_stats.asp
Wang, X., Reiter, M.K.: Defending against denial-of-service attacks with puzzle auctions. In: Proceedings of IEEE Symposium on Security and Privacy (2003)
Wang, X., Reiter, M.K.: Mitigating bandwidth exhaustion attacks using congestion puzzles. In: Proceedings of 11th ACM CCS (2004)
Waters, B., Juels, A., Halderman, A., Felten, E.W.: New client puzzle outsourcing techniques for dos resistance. In: Proceedings of 11th ACM CCS (2004)
Wei, C.K.: AJAX: Asynchronous Java + XML (2005), http://www.developer.com/design/article.php/3526681
Wikipedia. Comparison of web browsers, http://en.wikipedia.org/wiki/Comparison_of_web_browsers
Yang, B., Garcia-Molina, H.: Improving search in peer-to-peer networks. In: Proceedings of 22nd IEEE ICDCS (2002)
Yang, X., Wetherall, D., Anderson, T.: A DoS-limiting network architecture. In: Proceedings of ACM SIGCOMM (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Srivatsa, M., Iyengar, A., Yin, J., Liu, L. (2006). A Middleware System for Protecting Against Application Level Denial of Service Attacks. In: van Steen, M., Henning, M. (eds) Middleware 2006. Middleware 2006. Lecture Notes in Computer Science, vol 4290. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11925071_14
Download citation
DOI: https://doi.org/10.1007/11925071_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-49023-4
Online ISBN: 978-3-540-68256-1
eBook Packages: Computer ScienceComputer Science (R0)