Advertisement

A2M: Access-Assured Mobile Desktop Computing

  • Angelos Stavrou
  • Ricardo A. Barrato
  • Angelos D. Keromytis
  • Jason Nieh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5735)

Abstract

Continued improvements in network bandwidth, cost, and ubiquitous access are enabling service providers to host desktop computing environments to address the complexity, cost, and mobility limitations of today’s personal computing infrastructure. However, distributed denial of service attacks can deny use of such services to users. We present A2M, a secure and attack-resilient desktop computing hosting infrastructure. A2M combines a stateless and secure communication protocol, a single-hop Indirection-based network (IBN) and a remote display architecture to provide mobile users with continuous access to their desktop computing sessions. Our architecture protects both the hosting infrastructure and the client’s connections against a wide range of service disruption attacks. Unlike any other DoS protection system, A2M takes advantage of its low-latency remote display mechanisms and asymmetric traffic characteristics by using multi-path routing to send a small number of replicas of each packet transmitted from client to server. This packet replication through different paths, diversifies the client-server communication, boosting system resiliency and reducing end-to-end latency. Our analysis and experimental results on PlanetLab demonstrate that A2M significantly increases the hosting infrastructure’s attack resilience even for wireless scenarios. Using conservative ISP bandwidth data, we show that we can protect against attacks involving thousands (150,000) attackers, while providing good performance for multimedia and web applications and basic GUI interactions even when up to 30% and 50%, respectively, of indirection nodes become unresponsive.

Keywords

Video Quality Node Failure Input Event Service Attack Packet Replication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Citrix ICA Technology Brief. Technical White Paper, Boca Research (1999)Google Scholar
  2. 2.
    Cumberland, B., Carius, G., Muir, A.: Microsoft Windows NT Server 4.0, Terminal Server Edition: Technical Reference. Microsoft Press (August 1999)Google Scholar
  3. 3.
    Richardson, T., Stafford-Fraser, Q., Wood, K.R., Hopper, A.: Virtual Network Computing. IEEE Internet Computing 2(1), 33–38 (1998)CrossRefGoogle Scholar
  4. 4.
    DoS-Resistant Internet Working Group Meetings (February 2005), http://www.communicationsresearch.net/dos-resistant
  5. 5.
    Hulme, G.: Extortion online. Information Week (September 13, 2004)Google Scholar
  6. 6.
    Keromytis, A.D., Misra, V., Rubenstein, D.: SOS: Secure Overlay Services. In: Proceedings of ACM SIGCOMM, August 2002, pp. 61–72 (2002)Google Scholar
  7. 7.
    Andersen, D.G.: Mayday: Distributed Filtering for Internet Services. In: Proceedings of the 4th USENIX Symposium on Internet Technologies and Systems (USITS) (March 2003)Google Scholar
  8. 8.
    Baratto, R., Potter, S., Su, G., Nieh, J.: MobiDesk: Mobile Virtual Desktop Computing. In: Proceedings of the 10th Annual ACM International Conference on Mobile Computing and Networking (MobiCom) (September 2004)Google Scholar
  9. 9.
    Stavrou, A., Keromytis, A.: Countering DoS Attacks With Stateless Multipath Overlays. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), November 2005, pp. 249–259 (2005)Google Scholar
  10. 10.
    Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNote Trust Management System Version 2. RFC 2704 (September 1999)Google Scholar
  11. 11.
    CCITT: X.509: The Directory Authentication Framework. International Telecommunications Union, Geneva (1989)Google Scholar
  12. 12.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and Secure Message Authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  13. 13.
    Xuan, D., Chellappan, S., Wang, X.: Analyzing the Secure Overlay Services Architecture under Intelligent DDoS Attacks. In: Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS), March 2004, pp. 408–417 (2004)Google Scholar
  14. 14.
    Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial-of-Service Activity. In: Proceedings of the 10th USENIX Security Symposium, August 2001, pp. 9–22 (2001)Google Scholar
  15. 15.
    Nieh, J., Yang, S.J., Novik, N.: Measuring Thin-Client Performance Using Slow-Motion Benchmarking. ACM Transactions on Computer Systems (TOCS) 21(1), 87–115 (2003)CrossRefGoogle Scholar
  16. 16.
    Gummadi, K.P., Madhyastha, H.V., Gribble, S.D., Levy, H.M., Wetherall, D.: Improving the Reliability of Internet Paths with One-hop Source Routing. In: Proceedings of the 6th Symposium on Operating Systems Design & Implementation (OSDI) (December 2004)Google Scholar
  17. 17.
    Andersen, D.G., Snoeren, A.C., Balakrishnan, H.: Best-Path vs. Multi-Path Overlay Routing. In: Proceedings of the Internet Measurement Conference (October 2003)Google Scholar
  18. 18.
    Kaella, A., Pang, J., Shaikh, A.: A Comparison of Overlay Routing and Multihoming Route Control. In: Proceedings of ACM SIGCOMM, August/September 2004, pp. 93–106 (2004)Google Scholar
  19. 19.
    Su, A., Choffnes, D.R., Kuzmanovic, A., Bustamante, F.E.: Drafting Behind Akamai (Travelocity-Based Detouring). In: Proceedings of ACM SIGCOMM, September 2006, pp. 435–446 (2006)Google Scholar
  20. 20.
    Ioannidis, J., Bellovin, S.M.: Implementing Pushback: Router-Based Defense Against DDoS Attacks. In: Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS) (February 2002)Google Scholar
  21. 21.
    Dean, D., Franklin, M., Stubblefield, A.: An Algebraic Approach to IP Traceback. In: Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), February 2001, pp. 3–12 (2001)Google Scholar
  22. 22.
    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical Network Support for IP Traceback. In: Proceedings of ACM SIGCOMM, August 2000, pp. 295–306 (2000)Google Scholar
  23. 23.
    Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S., Strayer, W.: Hash-Based IP Traceback. In: Proceedings of ACM SIGCOMM (August 2001)Google Scholar
  24. 24.
    Li, J., Sung, M., Xu, J., Li, L.: Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2004)Google Scholar
  25. 25.
    Reiher, P., Mirkovic, J., Prier, G.: Attacking DDoS at the source. In: Proceedings of the 10th IEEE International Conference on Network Protocols (November 2002)Google Scholar
  26. 26.
    Yaar, A., Perrig, A., Song, D.: An Endhost Capability Mechanism to Mitigate DDoS Flooding Attacks. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2004)Google Scholar
  27. 27.
    Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., Govindan, R.: COSSACK: Coordinated Suppression of Simultaneous Attacks. In: Proceedings of DISCEX III, April 2003, pp. 2–13 (2003)Google Scholar
  28. 28.
    Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., Hu, Y.C.: Portcullis: protecting connection setup from denial-of-capability attacks. SIGCOMM Comput. Commun. Rev. 37(4), 289–300 (2007)CrossRefGoogle Scholar
  29. 29.
    Baratto, R., Kim, L., Nieh, J.: THINC: A Virtual Display Architecture for Thin-Client Computing. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP) (October 2005)Google Scholar
  30. 30.
    Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), October 2003, pp. 8–19 (2003)Google Scholar
  31. 31.
    Stavrou, A., Keromytis, A.D., Nieh, J., Misra, V., Rubenstein, D.: MOVE: An End-to-End Solution To Network Denial of Service. In: Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), February 2005, pp. 81–96 (2005)Google Scholar
  32. 32.
    Khattab, S.M., Sangpachatanaruk, C., Moss, D., Melhem, R., Znati, T.: Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks. In: Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS), March 2004, pp. 238–337 (2004)Google Scholar
  33. 33.
    Scheifler, R.W., Gettys, J.: X Window System, 3rd edn. Digital Press (1992)Google Scholar
  34. 34.
    Schmidt, B.K., Lam, M.S., Northcutt, J.D.: The interactive performance of SLIM: a stateless, thin-client architecture. In: 17th ACM Symposium on Operating Systems Principles (SOSP), December 1999, vol. 34, pp. 32–47 (1999)Google Scholar
  35. 35.
    Lai, A., Nieh, J.: Limits of Wide-Area Thin-Client Computing. In: Proceedings of the ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS), June 2002, pp. 228–239 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Angelos Stavrou
    • 1
  • Ricardo A. Barrato
    • 2
  • Angelos D. Keromytis
    • 2
  • Jason Nieh
    • 2
  1. 1.Computer Science DepartmentGeorge Mason UniversityUSA
  2. 2.Computer Science DepartmentColumbia UniversityUSA

Personalised recommendations