A Client Bootstrapping Protocol for DoS Attack Mitigation on Entry Point Services in the Cloud
Authors: 
Hussain M. J. Almohri, 
Mohammad Almutawa, Mahmoud Alawadh, Karim Elish Academic Editor: Mamoun AlazabAuthors Info & Claims
Hussain M. J. Almohri, Mohammad Almutawa, Mahmoud Alawadh, Karim Elish Academic Editor: Mamoun AlazabAuthors Info & ClaimsAbstract
This paper presents a client bootstrapping protocol for proxy-based moving target defense system for the cloud. The protocol establishes the identity of prospective clients who intend to connect to web services behind obscure proxy servers in a cloud-based network. In client bootstrapping, a set of initial line of defense services receive new client requests, execute an algorithm to assign them to a proxy server, and reply back with the address of the chosen proxy server. The bootstrapping protocol only reveals one proxy address to each client, maintaining the obscurity of the addresses for other proxy servers. Hiding the addresses of proxy servers aims to lower the likelihood that a proxy server becomes the victim of a denial-of-service (DoS) attack. Existing works address this problem by requiring the solution of computationally intensive puzzles from prospective clients. This solution slows the progression of attacks as well as new clients. This paper presents an alternative idea by observing that limited capacity of handling initial network requests is the primary cause of denial-of-service attacks. Thus, the suggested alternative is to utilize cost-effective high-capacity networks to handle client bootstrapping, thus thwarting attacks on the initial line of defense. The prototype implementation of the protocol using Google’s firebase demonstrates the proof of concept for web services that receive network requests from clients on mobile devices.
References
[1]
G. F. Lyon, “Nmap network scanning: the official nmap project guide to network discovery and security scanning,” 2009.
[2]
Q. Jia, K. Sun, and A. Stavrou, “MOTAG: moving target defense against internet denial of service attacks,” in Proceedings of the 2013 22nd International Conference on Computer Communication and Networks (ICCCN), pp. 1–9, Nassau, Bahamas, July 2013.
[3]
T. Aura, P. Nikander, and J. Leiwo, “Dos-resistant authentication with client puzzles,” in Security Protocols, B. Christianson, J. A. Malcolm, B. Crispo, and M. Roe, Eds., pp. 170–177, Springer, Berlin, Germany, 2001.
[4]
D. Dean and A. Stubblefield, “Using client puzzles to protect tls,” USENIX Security Symposium, vol. 42, 2001.
[5]
B. Parno, D. Wendlandt, E. Shi, A. Perrig, B. Maggs, and Y.-C. Hu, “Portcullis: protecting connection setup from denial-of-capability attacks,” ACM SIGCOMM Computer Communication Review, vol. 37, pp. 289–300, 2007.
[6]
B. Waters, A. Juels, J. A. Halderman, and E. W. Felten, “New client puzzle outsourcing techniques for dos resistance,” in Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 246–256, Washington, DC, USA, October 2004.
[7]
F. C. Freiling, T. Holz, and G. Wicherski, “Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks,” in European Symposium on Research in Computer Security, pp. 319–335, Springer, Berlin, Germany, 2005.
[8]
P. Wood, C. Gutierrez, and S. Bagchi, “Denial of service elusion (DoSE): keeping clients connected for less,” in Proceedings of the 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS), pp. 94–103, Montreal, Canada, September 2015.
[9]
S. Bhatkar, D. C. DuVarney, and R. Sekar, “Address obfuscation: an efficient approach to combat a board range of memory error exploits,” in USENIX Security Symposium, Washington, DC, USA, August 2003.
[10]
L. Li, J. E. Just, and R. Sekar, “Address-space randomization for windows systems,” in 22nd Annual Computer Security Applications Conference, Miami Beach, FL, USA, December 2006.
[11]
P. Team, “PaX address space layout randomization (ASLR),” 2003, https://pax.grsecurity.net/docs/aslr.txt.
[12]
D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra, and D. Rubenstein, “Websos: protecting web servers from ddos attacks,” in The 11th IEEE International Conference on Networks, 2003 ICON2003, pp. 461–466, Sydney, Australia, September 2003.
[13]
A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: an architecture for mitigating DDoS attacks,” IEEE Journal on Selected Areas in Communications, vol. 22, no. 1, pp. 176–188, 2004.
[14]
S. Venkatesan, M. Albanese, K. Amin, S. Jajodia, and M. Wright, “A moving target defense approach to mitigate DDoS attacks against proxy-based architectures,” in 2016 IEEE Conference on Communications and Network Security (CNS), pp. 198–206, Philadelphia, PA, USA, October 2016.
[15]
A. Chowdhary, S. Pisharody, and D. Huang, “SDN based scalable MTD solution in cloud network,” in Proceedings of the 2016 ACM Workshop on Moving Target Defense, MTD’16, pp. 27–36, New York, NY, USA, 2016.
[16]
Y.-H. Lin, J.-J. Kuo, D.-N. Yang, and W.-T. Chen, “A cost-effective shuffling-based defense against HTTP DDoS attacks with SDN/NFV,” in 2017 IEEE International Conference on Communications (ICC), pp. 1–7, Paris, France, May 2017.
[17]
C. Iwendi, Z. Jalil, A. R. Javed et al., “KeySplitWatermark: zero watermarking algorithm for software protection against cyber-attacks,” IEEE Access, vol. 8, pp. 72650–72660, 2020.
[18]
M. T. Ahvanooey, Q. Li, X. Zhu, M. Alazab, and J. Zhang, “Anitw: a novel intelligent text watermarking technique for forensic identification of spurious information on social media,” Computers & Security, vol. 90, 2020.
[19]
D. G. Andersen, “Mayday: distributed filtering for internet services,” in Proceedings of the 4th Conference on USENIX Symposium on Internet Technologies and Systems - Volume 4, USITS’03, 3 pages, Berkeley, CA, USA, 2003.
[20]
W. G. Morein, A. Stavrou, D. L. Cook, A. D. Keromytis, V. Misra, and D. Rubenstein, “Using graphic turing tests to counter automated ddos attacks against web servers,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS’03, pp. 8–19, New York, NY, USA, 2003.
[21]
A. Stavrou, A. D. Keromytis, J. Nieh, V. Misra, and D. Rubenstein, “MOVE: an end-to-end solution to network denial of service,” in Proceedings of the Network and Distributed System Security Symposium, NDSS 2005, San Diego, CA, USA, 2005.
[22]
G. Badishi, A. Herzberg, and I. Keidar, “Keeping denial-of-service attackers in the dark,” IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 3, pp. 191–204, 2007.
[23]
H. Wang, Q. Jia, D. Fleck, W. Powell, F. Li, and A. Stavrou, “A moving target ddos defense mechanism,” Computer Communications, vol. 46, pp. 10–21, 2014.
[24]
C.-C. Liu, B.-S. Huang, C.-W. Tseng, Y.-T. Yang, and L.-D. Chou, “Sdn/nfv-based moving target ddos defense mechanism,” in Advances in Intelligent Systems and Computing, pp. 548–556, Springer International Publishing, Cham, Switzerland, 2019.
[25]
Y. Shan, G. Kesidis, and D. Fleck, “Cloud-side shuffling defenses against ddos attacks on proxied multiserver systems,” in Proceedings of the 2017 on Cloud Computing Security Workshop, CCSW’17, pp. 1–10, New York, NY, USA, 2017.
[26]
Y. Yang, V. Misra, and D. Rubenstein, “A modeling approach to classifying malicious cloud users via shuffling,” ACM SIGMETRICS Performance Evaluation Review, vol. 46, no. 2, pp. 6–8, 2019.
[27]
G. Somani, M. S. Gaur, D. Sanghi, M. Conti, and M. Rajarajan, “Scale inside-out: rapid mitigation of cloud ddos attacks,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 6, pp. 959–973, 2018.
[28]
Q. Jia, H. Wang, D. Fleck, F. Li, A. Stavrou, and W. Powell, “Catch me if you can: a cloud-enabled DDoS defense,” in 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 264–275, Atlanta, GA, USA, June 2014.
[29]
A. Brzeczko, A. S. Uluagac, R. Beyah, and J. Copeland, “Active deception model for securing cloud infrastructure,” in 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 535–540, Toronto, Canada, April 2014.
[30]
L. Wang, V. Pai, and L. Peterson, “The effectiveness of request redirection on cdn robustness,” ACM SIGOPS Operating Systems Review, vol. 36, no. SI, pp. 345–360, 2002.
[31]
Y. Gilad, A. Herzberg, M. Sudkovitch, and M. Goberman, “Cdn-on-demand: an affordable ddos defense via untrusted clouds,” in 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, CA, USA, February 2016.
[32]
L. Jin, S. Hao, H. Wang, and C. Cotton, “Your remnant tells secret: residual resolution in DDoS protection services,” in 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 362–373, Luxembourg City, Luxembourg, June 2018.
[33]
A. Edmundson, P. Schmitt, N. Feamster, and J. Rexford, “OCDN: oblivious content distribution networks,” 2017, http://arxiv.org/abs/1711.01478.
[34]
M. Numan, F. Subhan, W. Z. Khan et al., “A systematic review on clone node detection in static wireless sensor networks,” IEEE Access, vol. 8, pp. 65450–65461, 2020.
[35]
B. Causley, “The secret behind the Luhn-ie,” XRDS: Crossroads, the ACM Magazine for Students, vol. 19, no. 1, pp. 81–82, 2012.
[36]
H. Luhn, “Computer for verifying numbers,” 1960.
[37]
J. L. L. Simarro, R. Moreno-Vozmediano, R. S. Montero, and I. M. Llorente, “Dynamic placement of virtual machines for cost optimization in multi-cloud environments,” in 2011 International Conference on High Performance Computing Simulation, pp. 1–7, Istanbul, Turkey, July 2011.
[38]
R. Colbaugh and K. Glass, “Predictability-oriented defense against adaptive adversaries,” in 2012 IEEE International Conference on Systems, Man, and Cybernetics (SMC), pp. 2721–2727, Seoul, Republic of Korea, October 2012.
[39]
M. L. Winterrose and K. M. Carter, “Strategic evolution of adversaries against temporal platform diversity active cyber defenses,” in Proceedings of the 2014 Symposium on Agent Directed Simulation, ADS’14, pp. 9:1–9:9, San Diego, CA, USA, 2014, http://dl.acm.org/citation.cfm?id=2665049.2665058.
[40]
S. Bhattacharya, S. R. K. S, P. K. R. Maddikunta et al., “A novel pca-firefly based xgboost classification model for intrusion detection in networks using gpu,” Electronics, vol. 9, no. 2, pp. 219–235, 2020.
Recommendations
Non-Interactive VDF Client Puzzle for DoS Mitigation
EICC '21: Proceedings of the 2021 European Interdisciplinary Cybersecurity ConferenceDenial of Service (DoS) attacks pose a growing threat to network services. Client puzzles have been proposed to mitigate DoS attacks by requiring a client to prove legitimate intentions. Since its introduction, there have been several constructions of ...
Collaborative Client-Side DNS Cache Poisoning Attack
IEEE INFOCOM 2019 - IEEE Conference on Computer CommunicationsDNS poisoning attacks inject malicious entries into the DNS resolution system, allowing an attacker to redirect clients to malicious servers. These attacks typically target a DNS resolver allowing attackers to poison a DNS entry for all machines that use ...
Characterization, Detection and Mitigation of Low-Rate DoS attack
ICTCS '14: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive StrategiesNow a day's web services become key aspect of life. Unfortunately there are several threats to these services. These threats are phishing, e-mail borne viruses, Trojan horse programs, Denial of Service etc. Among of them Distributed Denial of Service ...
Comments
Information & Contributors
Information
Published In
Copyright © 2020 Hussain M. J. Almohri et al.
This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Publisher
John Wiley & Sons, Inc.
United States
Publication History
Published: 01 January 2020
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 16 Jan 2025