Mitigating application-level denial of service attacks on Web servers
作者: Mudhakar Srivatsa , Arun Iyengar , Jian Yin , Ling Liu
关键词:
摘要: Recently, we have seen increasing numbers of denial service (DoS) attacks against online services and Web applications either for extortion reasons or impairing even disabling the competition. These DoS increasingly targeted application level. Application-level emulate same request syntax network-level traffic characteristics as those legitimate clients, thereby making much harder to detect counter. Moreover, such often target bottleneck resources disk bandwidth, database CPU resources. In this article, propose handling by using a twofold mechanism. First, perform admission control limit number concurrent clients served service. Admission is based on port hiding that renders invisible unauthorized which accepts incoming requests. Second, congestion admitted allocate more good clients. Congestion achieved adaptively setting client's priority level in response requests way can incorporate application-level semantics. We present detailed evaluation proposed solution two sample applications: Apache HTTPD TPCW benchmark (running Tomcat IBM DB2). Our experiments show incurs low performance overhead resilient attacks.
acm.org
sci-hub.se 参考文章(28)
Haining Wang, Heng Yin, Building an application-aware IPsec policy system usenix security symposium. pp. 21- 21 ,(2005)
Web content delivery Springer. ,(2005) , 10.1007/0-387-27727-7
Arun Iyengar, Lakshmish Ramaswamy, Bianca Schroeder, Techniques for Efficiently Serving and Caching Dynamic Web Content Web Content Delivery. pp. 101- 130 ,(2005) , 10.1007/0-387-27727-7_5
Arun Iyengar, Mudhakar Srivatsa, Ling Liu, Jian Yin, A middleware system for protecting against application level denial of service attacks acm ifip usenix international conference on middleware. pp. 260- 280 ,(2006) , 10.5555/1515984.1516005
Scott A. Crosby, Dan S. Wallach, Denial of service via algorithmic complexity attacks usenix security symposium. pp. 3- 3 ,(2003)
Adam Stubblefield, Drew Dean, Using client puzzles to protect TLS usenix security symposium. pp. 1- 1 ,(2001)
P. Francis, K. Egevang, The IP Network Address Translator (NAT) RFC. ,vol. 1631, pp. 1- 10 ,(1994)
D. Black, Differentiated Services and Tunnels RFC. ,vol. 2983, pp. 1- 14 ,(2000)
Alex Biryukov, Christophe De Cannière, Data Encryption Standard (DES) Encyclopedia of Cryptography and Security (2nd Ed.). pp. 295- 301 ,(2011)
D. Senie, P. Ferguson, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing RFC 2827-BCP 38. ,vol. 2267, pp. 1- 10 ,(1998)