Abstract
Internet service providers have resisted deploying Denial-of-Service (DoS) protection mechanisms despite numerous research results in the area. This is so primarily because ISPs cannot directly charge users for the use of such mechanisms, discouraging investment in the necessary infrastructure and operational support.
We describe a pay-per-use system that provides DoS protection for web servers and clients. Our approach is based on WebSOS, an overlay-based architecture that uses reverse Turing tests to discriminate between humans and automated processes that are part of an attack. We extend WebSOS with a credential-based micropayment scheme that combines access control and payment authorization in one operation. Contrary to WebSOS, we use Graphic Turing Tests (GTTs) to prevent malicious code, such as a worm, from using a user’s micropayment wallet. Our architecture allows ISPs to accurately charge web clients and servers. Clients can dynamically decide whether to use WebSOS, based on the prevailing network conditions.
This work is supported in part by DARPA contract No. F30602-02-2-0125 (FTN program) and by the National Science Foundation under grant No. ANI-0117738 and CAREER Award No. ANI-0133829, with additional support from Cisco and the Intel IT Research Council. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Andersen, D.G.: Mayday: Distributed Filtering for Internet Services. In: 4th USENIX Symposium on Internet Technologies and Systems USITS (March 2003)
Bellovin, S.M.: Distributed Firewalls.;login: magazine. special issue on security, 37–39 (November 1999)
Blackert, W.J., Gregg, D.M., Castner, A.K., Kyle, E.M., Hom, R.L., Jokerst, R.M.: Analyzing Interaction Between Distributed Denial of Service Attacks and Mitigation Technologies. In: Proceedings of DISCEX III, April 2003, pp. 26–36 (2003)
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The Key Note Trust Management System Version 2. RFC 2704 (September 1999)
Blaze, M., Ioannidis, J., Keromytis, A.D.: Offline Micropayments without Trusted Hardware. In: Proceedings of the Fifth International Conference on Financial Cryptography, pp. 21–40 (2001)
CCITT. X.509: The Directory Authentication Framework. International Telecommunications Union, Geneva (1989)
Chaum, D.: Achieving Electronic Privacy, August 1992, pp. 96–101. Scientific American (1992)
Cox, B., Tygar, D., Sirbu, M.: NetBill security and transaction protocol. In: Proceedings of the First USENIX Workshop on Electronic commerce. USENIX (July 1995)
Dean, D., Franklin, M., Stubblefield, A.: An Algebraic Approach to IP Traceback. In: Proceedings of the Network and Dsitributed System Security Symposium (NDSS), February 2001, pp. 3–12 (2001)
Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: Proceedings of the 10th USENIX Security Symposium (August 2001)
Gligor, V.D.: Guaranteeing Access in Spite of Distributed Service-Flooding Attacks. In: Proceedings of the Security Protocols Workshop (April 2003)
Goodrich, M.T.: Efficient Packet Marking for Large-Scale IP Traceback. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), November 2002, pp. 117–126 (2002)
Herzberg, A.: Safeguarding Digital Library Contents. D-Lib Magazine (January 1998)
Hussain, A., Heidemann, J., Papadopoulos, C.: A Framework for Classifying Denial of Service Attacks. In: Proceedings of ACM SIGCOMM (August 2003)
Ioannidis, J., Bellovin, S.M.: Implementing Pushback: Router-Based Defense Against DDoS Attacks. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (February 2002)
Ioannidis, J., Ioannidis, S., Keromytis, A.D., Prevelakis, V.: Fileteller: Paying and Getting Paid for File Storage. In: Proceeding of Financial Cryptography (FC) Conference, March 2002, pp. 282–299 (2002)
Ioannidis, S., Keromytis, A., Bellovin, S., Smith, J.: Implementing a Distributed Firewall. In: Proceedings of Computer and Communications Security (CCS), November 2000, pp. 190–199 (2000)
Jin, C., Wang, H., Shin, K.G.: Hop-Count Filtering: An Effective Defense Against Spoofed DoS Traffic. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), October 2003, pp. 30–41 (2003)
Karger, D., Lehman, E., Leighton, F., Panigrahy, R., Levine, M., Lewin, D.: Consistent Hashing and Random Trees: Distributed Caching Protocols for Relievig Hot Spots on the World Wide Web. In: Proceedings of ACM Symposium on Theory of Computing (STOC), May 1997, pp. 654–663 (1997)
Kargl, F., Maier, J., Weber, M.: Protecting web servers from distributed denial of service attacks. In: World Wide Web, pp. 514–524 (2001)
Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401 (November 1998)
Keromytis, A.D., Misra, V., Rubenstein, D.: SOS: Secure Overlay Services. In: Proceedings of ACM SIGCOMM, August 2002, pp. 61–72 (2002)
Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), October 2003, pp. 8–19 (2003)
Mori, G., Malik, J.: Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA. In: Computer Vision and Pattern Recognition CVPR 2003 (June 2003)
Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., Govindan, R.: COSSACK: Coordinated Suppression of Simultaneous Attacks. In: Proceedings of DISCEX III, April 2003, pp. 2–13 (2003)
Park, K., Lee, H.: On the Effectiveness of Route-based PAcket Filtering for Distributed DoS Attack Prevention in Power-law Internets. In: Proceedings of ACM SIGCOMM, August 2001, pp. 15–26 (2001)
Poutanen, T., Hinton, H., Stumm, M.: NetCents:A Lightweight Protocol for Secure Micropayments. In: Proceedings of the Third USENIX Workshop on Electronic Commerce. USENIX (September 1998)
Reiher, P., Mirkovic, J., Prier, G.: Attacking DDoS at the source. In: Proceedings of the 10th IEEE International Conference on Network Protocols (November 2002)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network Support for IP Traceback. ACM/IEEE Transactions on Networking 9(3), 226–237 (2001)
Stoica, I., Morris, R., Karger, D., Kaashoek, F., Balakrishnan, H.: Chord: A Scalable Peer-To-Peer Lookup Service for Internet Application. In: Proceedings of ACMSIGCOMM (August 2001)
Tang, L.: A Set of Protocols for MicroPayments in Distributed Systems. In: Proceedings of the First USENIX Workshop on Electronic Commerce. USENIX (July 1995)
Thomas, R., Mark, B., Johnson, T., Croall, J.: NetBouncer: Client-legitimacy-based Highperformance DDoS Filtering. In: Proceedings of DISCEX III, April 2003, pp. 14–25 (2003)
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using Hard AI Problems For Security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, Springer, Heidelberg (2003)
Yaar, A., Perrig, A., Song, D.: Pi:A Path Identification Mechanism to Defend against DDoS Attacks. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stavrou, A., Ioannidis, J., Keromytis, A.D., Misra, V., Rubenstein, D. (2004). A Pay-per-Use DoS Protection Mechanism for the Web. In: Jakobsson, M., Yung, M., Zhou, J. (eds) Applied Cryptography and Network Security. ACNS 2004. Lecture Notes in Computer Science, vol 3089. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24852-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-24852-1_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22217-0
Online ISBN: 978-3-540-24852-1
eBook Packages: Springer Book Archive