research-article

IRIS: a robust information system against insider dos-attacks

Authors:
Martina Eikel

University of Paderborn, Paderborn, Germany

University of Paderborn, Paderborn, Germany
View Profile

,
Christian Scheideler

University of Paderborn, Paderborn, Germany

University of Paderborn, Paderborn, Germany
View Profile

SPAA '13: Proceedings of the twenty-fifth annual ACM symposium on Parallelism in algorithms and architecturesJuly 2013Pages 119–129https://doi.org/10.1145/2486159.2486186

Published:23 July 2013Publication History

SPAA '13: Proceedings of the twenty-fifth annual ACM symposium on Parallelism in algorithms and architectures

Pages 119–129

ABSTRACT

In this work we present the first scalable distributed information system, i.e., a system with low storage overhead, that is provably robust against Denial-of-Service (DoS) attacks by a current insider. We allow a current insider to have complete knowledge about the information system and to have the power to block any ξ-fraction of its servers by a DoS-attack, where ξ can be chosen up to a constant. The task of the system is to serve any collection of lookup requests with at most one per non-blocked server in an efficient way despite this attack. Previously, scalable solutions were only known for DoS-attacks of past insiders, where a past insider only has complete knowledge about some past time point t₀ of the information system. Scheideler et al. [2, 3] showed that in this case it is possible to design an information system so that any information that was inserted or last updated after t₀ is safe against a DoS-attack. But their constructions would not work at all for a current insider. The key idea behind our IRIS system is to make extensive use of coding. More precisely, we present two alternative distributed coding strategies with an at most logarithmic storage overhead that can handle up to a constant fraction of blocked servers.

References

B. Awerbuch and C. Scheideler. Towards a Scalable and Robust DHT. In Proc. of SPAA, pages 318--327, 2006. Google ScholarDigital Library
B. Awerbuch and C. Scheideler. A Denial-of-Service Resistant DHT. In Proc. of DISC, pages 33--47, 2007. Google ScholarDigital Library
M. Baumgart, C. Scheideler, and S. Schmid. A dos-resilient information system for dynamic data management. In Proc. SPAA, pages 300--309, 2009. Google ScholarDigital Library
D. Bernstein. SYN Cookies. In http://cr.yp.to/syncookies.html, 2008.Google Scholar
A. Bhargava, K. Kothapalli, C. Riley, C. Scheideler, and M. Thober. Pagoda: A Dynamic Overlay Network for Routing, Data Management, and Multicasting. In Proc. of SPAA, pages 170--179, 2004. Google ScholarDigital Library
M. Blaum, J. Brady, J. Bruck, and J. Menon. Evenodd: an optimal scheme for tolerating double disk failures in raid architectures. SIGARCH Comput. Archit. News, 22(2):245--254, Apr. 1994. Google ScholarDigital Library
H. Chernoff. A measure of asymptotic efficiency for tests of a hypothesis based on the sums of observations. Annals of Mathematical Statistics, 23:409--507, 1952.Google ScholarCross Ref
D. Dittrich, J. Mirkovic, S. Dietrich, and P. Reiher. Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall PTR, 2005. Google ScholarDigital Library
B. Doerr, L. A. Goldberg, L. Minder, T. Sauerwald, and C. Scheideler. Stabilizing consensus with the power of two choices. In Proc. of SPAA, pages 149--158, 2011. Google ScholarDigital Library
P. Druschel and A. Rowstron. Pastry: Scalable, Distributed Object Location and Routing for Large-Scale Peer-to-Peer Systems. In Proc. of Middleware, pages 329--350, 2001. Google ScholarDigital Library
N. J. A. Harvey, M. B. Jones, S. Saroiu, M. Theimer, and A. Wolman. SkipNet: A Scalable Overlay Network with Practical Locality Properties. In Proc. of USITS, page 9, 2003. Google ScholarDigital Library
J. Ioannidis and S. M. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proc. of NDSS, 2002.Google Scholar
S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds. In Proc. of NSDI, pages 287--300, 2005. Google ScholarDigital Library
F. Kargl, J. Maier, and M. Weber. Protecting Web Servers from Distributed Denial of Service Attacks. In Proc. of WWW, pages 514--524, 2001. Google ScholarDigital Library
A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proc. of SIGCOMM, pages 61--72, 2002. Google ScholarDigital Library
Mazu Networks Inc. http://mazunetworks.com. 2008.Google Scholar
J. Mirkovic and P. Reiher. A Taxonomy of DDoS Attacks and Defense Mechanisms. Proc. of SIGCOMM, 2004. Google ScholarDigital Library
W. G. Morein, A. Stavrou, D. L. Cook, A. D. Keromytis, V. Misra, and D. Rubenstein. Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. In Proc. of CCS, pages 8--19, 2003. Google ScholarDigital Library
M. Naor and U. Wieder. Novel Architectures for P2P Applications: the Continuous-Discrete Approach. In Proc. of SPAA, pages 50--59, 2003. Google ScholarDigital Library
G. Oikonomou, J. Mirkovic, P. Reiher, and M. Robinson. A Framework for Collaborative DDoS Defense. In Proc. of ACSAC, pages 33--42, 2006. Google ScholarDigital Library
V. N. Padmanabhan and K. Sripanidkulchai. The Case for Cooperative Networking. In Proc. of IPTPS, pages 178--190, 2002. Google ScholarDigital Library
R. Pagh and F. F. Rodler. Cuckoo hashing. In Proc of ESA, pages 121--133, 2001. Google ScholarDigital Library
D. Peleg. Distributed Computing: A Locality-Sensitive Approach. Society for Industrial and Applied Mathematics, 2000. Google ScholarDigital Library
E. Ratliff. The Zombie Hunters. In The New Yorker, 2005.Google Scholar
S. Ratnasamy, P. Francis, M. Handley, R. Karp, and S. Shenker. A Scalable Content-Addressable Network. In Proc. of SIGCOMM, pages 161--172, 2001. Google ScholarDigital Library
I. Reed and G. Solomon. Polynomial codes over certain finite fields. Journal of the Society of Industrial and Applied Mathematics, 8(2):300--304, 1960.Google ScholarCross Ref
T. Stading, P. Maniatis, and M. Baker. Peer-to-Peer Caching Schemes to Address Flash Crowds. In Proc. of IPTPS, pages 203--213, 2002. Google ScholarDigital Library
A. Stavrou, D. Rubenstein, and S. Sahu. A Lightweight, Robust P2P System to Handle Flash Crowds. In Proc. of ICNP, pages 226--235, 2002. Google ScholarDigital Library
I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana. Internet Indirection Infrastructure. In Proc. of SIGCOMM, 2002. Google ScholarDigital Library
I. Stoica, R. Morris, D. Liben-Nowell, D. Karger, M. F. Kaashoek, F. Dabek, and H. Kalakrishnan. Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications. In Technical Report MIT, 2002.Google Scholar
M. Walfish, H. Balakrishnan, D. Karger, and S. Shenker. DoS: Fighting Fire with Fire. In Workshop on Hot Topics in Networks (HotNets), 2005.Google Scholar
M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker. DDoS Defense By Offense. Proc. of SIGCOMM, 36(4):303--314, 2006. Google ScholarDigital Library
Wikipedia. Denial-of-service attack. http://en.wikipedia.org/wiki/Denial-of-service_attack, accessed 12-February-2013.Google Scholar
X. Yang, D. Wetherall, and T. Anderson. A DoS-Limiting Network Architecture. In Proc. of SIGCOMM, pages 241--252, 2005. Google ScholarDigital Library

Index Terms

IRIS: a robust information system against insider dos-attacks

Recommendations

IRIS: A Robust Information System Against Insider DoS Attacks
Special Issue for SPAA 2013

In this work, we present the first scalable distributed information system, that is, a system with low storage overhead, that is provably robust against denial-of-service (DoS) attacks by a current insider. We allow a current insider to have complete ...
Read More
A denial-of-service resistant DHT
PODC '07: Proceedings of the twenty-sixth annual ACM symposium on Principles of distributed computing

We consider the problem of designing scalable and robust information systems based on multiple servers that can survive even massive denial-of-service (DoS) attacks. More precisely, we are focusing on designing a scalable distributed hash table (DHT) ...
Read More
Dynamic Binary User-Splits to Protect Cloud Servers from DDoS Attacks
ICCC '13: Proceedings of the Second International Conference on Innovative Computing and Cloud Computing

Several overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server ...
Read More

Reviews

Reviewer: Neil D Burgess

This academic paper presents the theory and use of an algorithm designed to detect denial-of-service (DoS) attacks by an adversary who has detailed knowledge of the system under attack. The description is very detailed, but not enough to allow the reader to reproduce the algorithm described. The attack space is constrained by limiting the system to one that reads records from a distributed database. While this covers many systems, it is hardly comprehensive. In summary, the proposed algorithm is a creditable effort, with a sound basis in theory. The paper is recommended reading for those with a commercial or academic interest in the field of online security. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SPAA '13: Proceedings of the twenty-fifth annual ACM symposium on Parallelism in algorithms and architectures
July 2013
348 pages
ISBN:9781450315722
DOI:10.1145/2486159
General Chair:
Guy Blelloch
Carnegie Mellon University, USA
,
Program Chair:
Berthold Vöcking
RWTH Aachen University, Germany
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 23 July 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
denial-of-service attacks
dht
distributed systems
Qualifiers
- research-article
Conference

Acceptance Rates
SPAA '13 Paper Acceptance Rate31of130submissions,24%Overall Acceptance Rate447of1,461submissions,31%
More
Upcoming Conference
SPAA '24

Sponsor:

sigact

sigact

36th ACM Symposium on Parallelism in Algorithms and Architectures

June 17 - 21, 2024

Nantes , France
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 2
  Total Citations
  View Citations
- 159
  Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

IRIS: a robust information system against insider dos-attacks

SPAA '13: Proceedings of the twenty-fifth annual ACM symposium on Parallelism in algorithms and architectures

ABSTRACT

References

Cited By

Index Terms

Recommendations

IRIS: A Robust Information System Against Insider DoS Attacks

A denial-of-service resistant DHT

Dynamic Binary User-Splits to Protect Cloud Servers from DDoS Attacks

Reviews

Access critical reviews of Computing literature here