A Multilayer Overlay Network Architecture for Enhancing IP Services Availability against DoS

  • Dimitris Geneiatakis
  • Georgios Portokalidis
  • Angelos D. Keromytis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7093)


Protection against Denial of Service (DoS) attacks is a challenging and ongoing problem. Current overlay-based solutions can transparently filter unauthorized traffic based on user authentication. Such solutions require either pre-established trust or explicit user interaction to operate, which can be circumvented by determined attackers and is not always feasible (e.g., when user interaction is impossible or undesirable). We propose a Multi-layer Overlay Network (MON) architecture that does not depend on user authentication, but instead utilizes two mechanisms to provide DoS resistant to any IP-based service, and operates on top of the existing network infrastructure. First, MON implements a threshold-based intrusion detection mechanism in a distributed fashion to mitigate DoS close to the attack source. Second, it randomly distributes user packets amongst different paths to probabilistically increase service availability during an attack. We evaluate MON using the Apache web server as a protected service. Results demonstrate MON nodes introduce very small overhead, while users’ service access time increases by a factor of 1.1 to 1.7, depending on the configuration. Under an attack scenario MON can decrease the attack traffic forwarded to the service by up to 85%. We believe our work makes the use of overlays for DoS protection more practical relative to prior work.


Intrusion Detection System Overlay Network Protected Service Message Authentication Code Malicious User 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abatishchev: Low orbit ion cannon,
  2. 2.
    Abramson, N.: THE ALOHA SYSTEM: another alternative for computer communications. In: AFIPS 1970 (Fall): Proceedings of the fall Joint Computer Conference, November 17-19, pp. 281–285. ACM (1970)Google Scholar
  3. 3.
    Andersen, D.G.: Mayday: Distributed Filtering for Internet Services. In: Proceedings of the 4th Usenix Symposium on Internet Technologies and Systems, Seattle, WA (March 2003)Google Scholar
  4. 4.
    Andersen, D.G., Balakrishnan, H., Kaashoek, M.F., Morris, R.: The case for resilient overlay networks. In: Proceedings of the 8th Workshop on Hot Topics in Operating Systems, p. 152. IEEE Computer Society (2001)Google Scholar
  5. 5.
    Beitollahi, H., Deconinck, G.: An overlay protection layer against denial-of-service attacks. In: Proceeding of the IEEE International Parallel and Distributed Processing Symposium (IPDPS), pp. 1–8 (April 2008)Google Scholar
  6. 6.
    Beitollahi, H., Deconinck, G.: FOSeL: filtering by helping an overlay security layer to mitigate DoS attacks. In: Proceedings of the IEEE International Symposium on Network Computing and Applications, pp. 19–28. IEEE Computer Society (2008)Google Scholar
  7. 7.
    Chee, W.O., Brennan, T.: Slow HTTP POST DoS attacks. OWASP AppSec DC (2010), (November 2010)
  8. 8.
    Chellapilla, K., Simard, P.Y.: Using Machine Learning to Break Visual Human Interaction Proofs (HIPs). In: Advances in Neural Information Processing Systems (NIPS), vol. 17, pp. 265–272. MIT Press (2005)Google Scholar
  9. 9.
    Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet security: repelling the wily hacker. Addison-Wesley (2003)Google Scholar
  10. 10.
    Cretu-Ciocarlie, G.F., Stavrou, A., Locasto, M.E., Stolfo, S.J.: Adaptive anomaly detection via self-calibration and dynamic updating. In: Kieda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 41–60. Springer, Heidelberg (2009)Google Scholar
  11. 11.
    Dixon, C., Anderson, T., Krishnamurthy, A.: Phalanx: withstanding multimillion-node botnets. In: Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2008, pp. 45–58 (2008)Google Scholar
  12. 12.
    Gil, T.M., Poletto, M.: MULTOPS: a data-structure for bandwidth attack detection. In: Proceedings of the 10th USENIX Security Symposium (August 2001)Google Scholar
  13. 13.
    GNU: The GNU multiple precision arithmetic library,
  14. 14.
    Hovemeyer, D., Pugh, W.: Finding more null pointer bugs, but not too many. In: Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE), pp. 9–14 (2007)Google Scholar
  15. 15.
    Ioannidis, J., Bellovin, S.M.: Implementing Pushback: Router-based defense against DDoS attacks. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (February 2002)Google Scholar
  16. 16.
    Ioannidis, S., Keromytis, A.D., Bellovin, S.M., Smith, J.M.: Implementing a distributed firewall. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, CCS 2000, pp. 190–199. ACM (2000)Google Scholar
  17. 17.
    Jula, H., Tralamazza, D., Zamfir, C., Candea, G.: Deadlock immunity: enabling systems to defend against deadlocks. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI), pp. 295–308 (2008)Google Scholar
  18. 18.
    Keromytis, A.D., Misra, V., Rubenstein, D.: SOS: secure overlay services. In: Proceedings of the 2002 SIGCOMM Conference, pp. 61–72 (August 2002)Google Scholar
  19. 19.
    Krasnyansky, M.: Virtual point-to-point (TUN) and ethernet (TAP) devices,
  20. 20.
    Kurian, J., Kulkarni, A., Vu, H.T., Sarac, K.: ODON: an On-Demand security overlay for Mission-Critical applications. In: Proceedings of the International Conference on Computer Comm. and Netw., pp. 1–6. IEEE Computer Society (2009)Google Scholar
  21. 21.
    Kurian, J., Saraç, K.: Provider provisioned overlay networks and their utility in dos defense. In: Proceeding of the IEEE GLOBECOM, pp. 474–479 (2007)Google Scholar
  22. 22.
    Mirkovic, J., Dietrich, S., Dittrich, D., Reiher, P.: Internet Denial of Service: Attack and Defense Mechanisms, illustrated edn. Prentice Hall (January 2005)Google Scholar
  23. 23.
    Mirkovic, J., Reiher, P.: D-ward: A source-end defense against flooding denial-of-service attacks. IEEE Trans. Dependable Secur. Comput. 2, 216–232 (2005)CrossRefGoogle Scholar
  24. 24.
    Oikonomou, G., Mirkovic, J., Reiher, P., Robinson, M.: A framework for a collaborative ddos defense. In: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 33–42. IEEE Computer Society (2006)Google Scholar
  25. 25.
    Patcha, A., Park, J.M.: An overview of anomaly detection techniques: Existing solutions and latest technological trends. Comput. Netw. 51, 3448–3470 (2007)CrossRefGoogle Scholar
  26. 26.
    Kent, S., Seo, K.: Security architecture for the internet protocol. RFC 4301 (December 2005)Google Scholar
  27. 27.
    Siris, V.A., Papagalou, F.: Application of anomaly detection algorithms for detecting syn flooding attacks. Comput. Commun. 29, 1433–1442 (2006)CrossRefGoogle Scholar
  28. 28.
    Stavrou, A., Cook, D.L., Morein, W.G., Keromytis, A.D., Misra, V., Rubenstein, D.: WebSOS: an overlay-based system for protecting web servers from denial of service attacks. Computer Networks 48(5), 781–807 (2005)CrossRefGoogle Scholar
  29. 29.
    Stavrou, A., Keromytis, A.D.: Countering dos attacks with stateless multipath overlays. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 249–259. ACM, New York (2005)Google Scholar
  30. 30.
    Titz, O.: Why tcp over tcp is a bad idea,
  31. 31.
    Viega, J., Messier, M., Chandra, P.: Network Security with OpenSSL, 1st edn. O’Reilly Media (June 2002)Google Scholar
  32. 32.
    Von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart automatically. Commun. ACM 47, 56–60 (2004)CrossRefGoogle Scholar
  33. 33.
    Wang, H., Zhang, D., Shin, K.G.: Change-point monitoring for the detection of dos attacks. IEEE Trans. Dependable Secur. Comput. 1, 193–208 (2004)CrossRefGoogle Scholar
  34. 34.
    Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  35. 35.
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions md4, md5, haval-128 and ripemd. Cryptology ePrint Archive, Report 2004/199 (2004)Google Scholar
  36. 36.
    Yaar, A., Perrig, A., Song, D.: SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 130–143 (2004)Google Scholar
  37. 37.
    Yang, X., Wetherall, D., Anderson, T.: A DoS-limiting network architecture. In: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Comm., pp. 241–252 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Dimitris Geneiatakis
    • 1
  • Georgios Portokalidis
    • 1
  • Angelos D. Keromytis
    • 1
  1. 1.Department of Computer ScienceColumbia UniversityNew YorkUSA

Personalised recommendations