research-article

Public Access

DeDoS: Defusing DoS with Dispersion Oriented Software

Authors:

Henri Maxime Demoulin,

Isaac Pedisich,

Andreas Haeberlen,

Linh Thi Xuan Phan,

Wenchao ZhouAuthors Info & Claims

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Pages 712 - 722

https://doi.org/10.1145/3274694.3274727

Published: 03 December 2018 Publication History

Abstract

This paper presents DeDoS, a novel platform for mitigating asymmetric DoS attacks. These attacks are particularly challenging since even attackers with limited resources can exhaust the resources of well-provisioned servers. DeDoS offers a framework to deploy code in a highly modular fashion. If part of the application stack is experiencing a DoS attack, DeDoS can massively replicate only the affected component, potentially across many machines. This allows scaling of the impacted resource separately from the rest of the application stack, so that resources can be precisely added where needed to combat the attack. Our evaluation results show that DeDoS incurs reasonable overheads in normal operations, and that it significantly outperforms standard replication techniques when defending against a range of asymmetric attacks.

References

[1]

2011. SSL Renegotiation DoS. (2011). https://www.ietf.org/mail-archive/web/tls/current/msg07553.html.

[2]

2017. DeDOS demonstration at SIGCOMM 2017. https://www.youtube.com/watch?v=KX4EPnUzDqk. https://www.youtube.com/watch?v=KX4EPnUzDqk

[3]

2017. Regular expression Denial of Service - ReDoS. (2017). https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS.

[4]

2017. Tsung. http://tsung.erlang-projects.org/. http://tsung.erlang-projects.org/

[5]

2018. AWS Lambda. https://aws.amazon.com/lambda. https://aws.amazon.com/lambda

[6]

2018. Azure functions. https://functions.azure.com. https://functions.azure.com

[7]

2018. Common Vulnerabilities and Exposures (see CVE-2015-8386). (2018). http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386.

[8]

2018. DeDOS on GitHub. https://github.com/dedos-project/DeDOS. https://github.com/dedos-project/DeDOS

[9]

2018. Google Cloud Functions. https://cloud.google.com/functions.

[10]

2018. OpenWhisk. https://developer.ibm.com/openwhisk.

[11]

Luiz André Barroso, Jimmy Clidaras, and Urs Hölzle. 2013. The datacenter as a computer: An introduction to the design of warehouse-scale machines. Synthesis lectures on computer architecture 8, 3 (2013), 1--154.

[12]

Ang Chen, Akshay Sriraman, Tavish Vaidya, Yuankai Zhang, Andreas Haeberlen, Boon Thau Loo, Linh Thi Xuan Phan, Micah Sherr, Clay Shields, and Wenchao Zhou. 2016. Dispersing Asymmetric DDoS Attacks with SplitStack. In Proc. HotNets.

Digital Library

[13]

Henri Maxime Demoulin, Tavish Vaidya, Isaac Pedisich, Nik Sultana, Bowen Wang, Jingyu Qian, Yuankai Zhang, Ang Chen, Andreas Haeberlen, Boon Thau Loo, et al. 2017. A Demonstration of the DeDoS Platform for Defusing Asymmetric DDoS Attacks in Data Centers. In Proceedings of the SIGCOMM Posters and Demos. ACM.

Digital Library

[14]

F5. 2018. SSL Acceleration. https://f5.com/glossary/ssl-acceleration.

[15]

Seyed K. Fayaz, Yoshiaki Tobioka, Vyas Sekar, and Michael Bailey. 2015. Bohatei: Flexible and Elastic DDoS Defense. In Proc. USENIX Security.

Digital Library

[16]

Bryan Ford, Godmar Back, Greg Benson, Jay Lepreau, Albert Lin, and Olin Shivers. 1997. The Flux OSKit: A Substrate for Kernel and Language Research. In Proc. SOSP.

Digital Library

[17]

Sadjad Fouladi, Riad S Wahby, Brennan Shacklett, Karthikeyan Balasubramaniam, William Zeng, Rahul Bhalerao, Anirudh Sivaraman, George Porter, and Keith Winstein. 2017. Encoding, Fast and Slow: Low-Latency Video Processing Using Thousands of Tiny Threads. In NSDI. 363--376.

Digital Library

[18]

Sean Gallagher. 2016. Double-dip Internet-of-Things Botnet Attack Felt Across the Internet. https://arstechnica.com/security/2016/10/double-dip-internet-of-things-botnet-attack-felt-across-the-internet/.

[19]

Alain Gefflaut, Trent Jaeger, Yoonho Park, Jochen Liedtke, Kevin J. Elphinstone, Volkmar Uhlig, Jonathon E. Tidswell, Luke Deller, and Lars Reuther. 2000. The SawMill Multiserver Approach. In Proc 9th ACM SIGOPS European Workshop. 109--114.

Digital Library

[20]

Gkbrk. 2018. SlowLoris attack tool. https://github.com/gkbrk/slowloris.

[21]

Saikat Guha, Paul Francis, and Nina Taft. 2008. ShutUp: End-to-End Containment of Unwanted Traffic. Technical Report. Cornell University.

[22]

Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, and Walter Powell. 2014. Catch Me if You Can: A Cloud-Enabled DDoS Defense. In Proc. DSN.

Digital Library

[23]

Cheng Jin, Haining Wang, and Kang G. Shin. 2003. Hop-count filtering: an effective defense against spoofed DDoS traffic. In Proc. CCS.

Digital Library

[24]

Joyent Inc. and other Node contributors. {n. d.}. NodeJS HTTP Parser. https: //github.com/nodejs/http-parser.

[25]

Christine Kern. 2016. Increased Use Of Multi-Vector DDoS Attacks Targeting Companies. (2016). http://www.bsminfo.com/doc/increased-use-of-multi-vector-ddos-attacks-targeting-companies-0001.

[26]

Eddie Kohler, Robert Morris, Benjie Chen, John Jannotti, and M. Frans Kaashoek. 2000. The Click Modular Router. ACM Trans. Comput. Syst. 18, 3 (Aug. 2000), 263--297.

Digital Library

[27]

Soom Bum Lee, Min Suk Kang, and Virgil D. Gligor. 2013. CoDef: Collaborative Defense Against Large-Scale Link-Flooding Attacks. In Proc. CoNEXT.

Digital Library

[28]

Qi Liao, David A. Cieslak, Aaron D. Striegel, and Nitesh V. Chawla. 2008. Using selective, short-term memory to improve resilience against DDoS exhaustion attacks. Security and Communication Networks 1, 4 (2008), 287--299.

[29]

Boon Thau Loo, Tyson Condie, Minos Garofalakis, David E. Gay, Joseph M. Hellerstein, Petros Maniatis, Raghu Ramakrishnan, Timothy Roscoe, and Ion Stoica. 2009. Declarative networking. Comm. ACM 52, 11 (Nov. 2009), 87--95.

Digital Library

[30]

Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. 2002. Controlling High Bandwidth Aggregates in the Network. In Proc. CCR.

Digital Library

[31]

Sam Newman. 2015. Building microservices: designing fine-grained systems." O'Reilly Media, Inc.".

Digital Library

[32]

Parveen Patel, Deepak Bansal, Lihua Yuan, Ashwin Murthy, Albert Green-berg, David A. Maltz, Randy Kern, Hemant Kumar, Marios Zikos, Hongyu Wu, Changhoon Kim, and Naveen Karri. 2013. Ananta: Cloud Scale Load Balancing. In Proc. SIGCOMM.

Digital Library

[33]

John Pescatore. 2014. DDoS Attacks Advancing and Enduring: A SANS Survey. Technical Report. SANS Institute.

[34]

picoTCP 2018. picoTCP. http://www.picotcp.com/.

[35]

Christian Rossow. 2014. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In Proc. NDSS.

[36]

Fabrice J. Ryba, Matthew Orlinski, Matthias Wählisch, Christian Rossow, and Thomas C. Schmidt. 2015. Amplification and DRDoS Attack Defense -- A Survey and New Perspectives. CoRR abs/1505.07892 (2015). http://arxiv.org/abs/1505.07892

[37]

David Senecal. 2013. Slow DoS on the Rise. (2013). https://blogs.akamai.com/2013/09/slow-dos-on-the-rise.html.

[38]

Willy Tarreau. 2018. HA-Proxy load balancer. http://haproxy.com/.

[39]

Matt Welsh, David Culler, and Eric Brewer. 2001. SEDA: An Architecture for Well-conditioned, Scalable Internet Services. In Proc. SOSP.

Digital Library

[40]

Jianxin Yan, Stephen Early, and Ross Anderson. 2000. The XenoService -- A Distributed Defeat for Distributed Denial of Service. In Proc. ISW.

[41]

Saman Taghavi Zargar, James Joshi, and David Tipper. 2013. A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. IEEE Communications Surveys & Tutorials 15, 4 (2013), 2046--2069.

Cited By

Tandon RWang HWeideman NArakelyan SBartlett GHauser CMirkovic J(2023)Leader: Defense Against Exploit-Based Denial-of-Service Attacks on Web ApplicationsProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607238(744-758)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607238
Kon PBarradas DChen AFernandes EAlcaraz C(2022)StargazeProceedings of the 4th Workshop on CPS & IoT Security and Privacy10.1145/3560826.3563382(47-53)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3560826.3563382
Gao DLin HLi ZQian FChen QQian ZLiu WGong LLiu Y(2021)A nationwide census on wifi security threatsProceedings of the 27th Annual International Conference on Mobile Computing and Networking10.1145/3447993.3448620(242-255)Online publication date: 25-Oct-2021
https://dl.acm.org/doi/10.1145/3447993.3448620
Show More Cited By

Index Terms

DeDoS: Defusing DoS with Dispersion Oriented Software
1. Security and privacy
  1. Network security
    1. Denial-of-service attacks

Recommendations

A Demonstration of the DeDoS Platform for Defusing Asymmetric DDoS Attacks in Data Centers
SIGCOMM Posters and Demos '17: Proceedings of the SIGCOMM Posters and Demos

We propose a demonstration of DeDoS, a platform for mitigating asymmetric DDoS attacks. These attacks are particularly challenging since attackers using limited resources can exhaust the resources of even well-provisioned servers. DeDoS resolves this by ...
Detecting SYN flooding attacks based on traffic prediction

SYN flooding attacks are a common type of distributed denial-of-service attacks. Up to now, many defense schemes have been proposed against SYN flooding attacks. Traditional defense schemes rely on passively sniffing an attacking signature and are ...
To filter or to authorize: network-layer DoS defense against multimillion-node botnets
SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication

This paper presents the design and implementation of a filter-based DoS defense system (StopIt) and a comparison study on the effectiveness of filters and capabilities. Central to the StopIt design is a novel closed-control, open-service architecture: ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

766 pages

ISBN:9781450365697

DOI:10.1145/3274694

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

DARPA
National Science Foundation

Conference

ACSAC '18

ACSAC '18: 2018 Annual Computer Security Applications Conference

December 3 - 7, 2018

PR, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
405
Total Downloads

Downloads (Last 12 months)84
Downloads (Last 6 weeks)15

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tandon RWang HWeideman NArakelyan SBartlett GHauser CMirkovic J(2023)Leader: Defense Against Exploit-Based Denial-of-Service Attacks on Web ApplicationsProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607238(744-758)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607238
Kon PBarradas DChen AFernandes EAlcaraz C(2022)StargazeProceedings of the 4th Workshop on CPS & IoT Security and Privacy10.1145/3560826.3563382(47-53)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3560826.3563382
Gao DLin HLi ZQian FChen QQian ZLiu WGong LLiu Y(2021)A nationwide census on wifi security threatsProceedings of the 27th Annual International Conference on Mobile Computing and Networking10.1145/3447993.3448620(242-255)Online publication date: 25-Oct-2021
https://dl.acm.org/doi/10.1145/3447993.3448620
Liu YZhang MMeng W(2021)Revealer: Detecting and Exploiting Regular Expression Denial-of-Service Vulnerabilities2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00062(1468-1484)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00062
Demoulin HPedisich IVasilakis NLiu VLoo BPhan LDan TDahlia M(2019)Detecting asymmetric application-layer denial-of-service attacks in-flight with finelameProceedings of the 2019 USENIX Conference on Usenix Annual Technical Conference10.5555/3358807.3358866(693-707)Online publication date: 10-Jul-2019
https://dl.acm.org/doi/10.5555/3358807.3358866

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents