DDoS攻击防御

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications Pub Date : 2006-08-11 DOI:10.1145/1159913.1159948

Michael Walfish, Mythili Vutukuru, H. Balakrishnan, David R Karger, S. Shenker

{"title":"DDoS攻击防御","authors":"Michael Walfish, Mythili Vutukuru, H. Balakrishnan, David R Karger, S. Shenker","doi":"10.1145/1159913.1159948","DOIUrl":null,"url":null,"abstract":"This paper presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth and will react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidth. This result makes the defense viable and effective for a class of real attacks.","PeriodicalId":109155,"journal":{"name":"Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications","volume":"40 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-08-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"255","resultStr":"{\"title\":\"DDoS defense by offense\",\"authors\":\"Michael Walfish, Mythili Vutukuru, H. Balakrishnan, David R Karger, S. Shenker\",\"doi\":\"10.1145/1159913.1159948\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth and will react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidth. This result makes the defense viable and effective for a class of real attacks.\",\"PeriodicalId\":109155,\"journal\":{\"name\":\"Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications\",\"volume\":\"40 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2006-08-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"255\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/1159913.1159948\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1159913.1159948","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 255

摘要

本文介绍了speakup的设计、实现、分析和实验评估，这是一种针对应用程序级分布式拒绝服务(DDoS)的防御，攻击者通过发送消耗计算资源(例如，CPU周期，磁盘)的合法请求来削弱服务器。使用语音提示，受害服务器鼓励所有客户端在资源允许的情况下自动发送更多流量。我们假设攻击者已经使用了大部分上传带宽，因此无法对鼓励做出反应。然而，好的客户端有空闲的上传带宽，并且会以急剧增加的流量对鼓励做出反应。这种流量膨胀的预期结果是，好的客户端排挤坏的客户端，从而获得比以前更多的服务器资源。我们在各种条件下进行了实验，发现自说自话会导致服务器在一组客户端上花费资源，其比例大致与它们的总上传带宽成比例。这个结果使得防御对于一类真实的攻击是可行和有效的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

DDoS defense by offense

This paper presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth and will react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidth. This result makes the defense viable and effective for a class of real attacks.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications

自引率

0.00%

发文量