ABSTRACT
In this work we present the first scalable distributed information system, i.e., a system with low storage overhead, that is provably robust against Denial-of-Service (DoS) attacks by a current insider. We allow a current insider to have complete knowledge about the information system and to have the power to block any ξ-fraction of its servers by a DoS-attack, where ξ can be chosen up to a constant. The task of the system is to serve any collection of lookup requests with at most one per non-blocked server in an efficient way despite this attack. Previously, scalable solutions were only known for DoS-attacks of past insiders, where a past insider only has complete knowledge about some past time point t0 of the information system. Scheideler et al. [2, 3] showed that in this case it is possible to design an information system so that any information that was inserted or last updated after t0 is safe against a DoS-attack. But their constructions would not work at all for a current insider. The key idea behind our IRIS system is to make extensive use of coding. More precisely, we present two alternative distributed coding strategies with an at most logarithmic storage overhead that can handle up to a constant fraction of blocked servers.
- B. Awerbuch and C. Scheideler. Towards a Scalable and Robust DHT. In Proc. of SPAA, pages 318--327, 2006. Google ScholarDigital Library
- B. Awerbuch and C. Scheideler. A Denial-of-Service Resistant DHT. In Proc. of DISC, pages 33--47, 2007. Google ScholarDigital Library
- M. Baumgart, C. Scheideler, and S. Schmid. A dos-resilient information system for dynamic data management. In Proc. SPAA, pages 300--309, 2009. Google ScholarDigital Library
- D. Bernstein. SYN Cookies. In http://cr.yp.to/syncookies.html, 2008.Google Scholar
- A. Bhargava, K. Kothapalli, C. Riley, C. Scheideler, and M. Thober. Pagoda: A Dynamic Overlay Network for Routing, Data Management, and Multicasting. In Proc. of SPAA, pages 170--179, 2004. Google ScholarDigital Library
- M. Blaum, J. Brady, J. Bruck, and J. Menon. Evenodd: an optimal scheme for tolerating double disk failures in raid architectures. SIGARCH Comput. Archit. News, 22(2):245--254, Apr. 1994. Google ScholarDigital Library
- H. Chernoff. A measure of asymptotic efficiency for tests of a hypothesis based on the sums of observations. Annals of Mathematical Statistics, 23:409--507, 1952.Google ScholarCross Ref
- D. Dittrich, J. Mirkovic, S. Dietrich, and P. Reiher. Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall PTR, 2005. Google ScholarDigital Library
- B. Doerr, L. A. Goldberg, L. Minder, T. Sauerwald, and C. Scheideler. Stabilizing consensus with the power of two choices. In Proc. of SPAA, pages 149--158, 2011. Google ScholarDigital Library
- P. Druschel and A. Rowstron. Pastry: Scalable, Distributed Object Location and Routing for Large-Scale Peer-to-Peer Systems. In Proc. of Middleware, pages 329--350, 2001. Google ScholarDigital Library
- N. J. A. Harvey, M. B. Jones, S. Saroiu, M. Theimer, and A. Wolman. SkipNet: A Scalable Overlay Network with Practical Locality Properties. In Proc. of USITS, page 9, 2003. Google ScholarDigital Library
- J. Ioannidis and S. M. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proc. of NDSS, 2002.Google Scholar
- S. Kandula, D. Katabi, M. Jacob, and A. Berger. Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds. In Proc. of NSDI, pages 287--300, 2005. Google ScholarDigital Library
- F. Kargl, J. Maier, and M. Weber. Protecting Web Servers from Distributed Denial of Service Attacks. In Proc. of WWW, pages 514--524, 2001. Google ScholarDigital Library
- A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proc. of SIGCOMM, pages 61--72, 2002. Google ScholarDigital Library
- Mazu Networks Inc. http://mazunetworks.com. 2008.Google Scholar
- J. Mirkovic and P. Reiher. A Taxonomy of DDoS Attacks and Defense Mechanisms. Proc. of SIGCOMM, 2004. Google ScholarDigital Library
- W. G. Morein, A. Stavrou, D. L. Cook, A. D. Keromytis, V. Misra, and D. Rubenstein. Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. In Proc. of CCS, pages 8--19, 2003. Google ScholarDigital Library
- M. Naor and U. Wieder. Novel Architectures for P2P Applications: the Continuous-Discrete Approach. In Proc. of SPAA, pages 50--59, 2003. Google ScholarDigital Library
- G. Oikonomou, J. Mirkovic, P. Reiher, and M. Robinson. A Framework for Collaborative DDoS Defense. In Proc. of ACSAC, pages 33--42, 2006. Google ScholarDigital Library
- V. N. Padmanabhan and K. Sripanidkulchai. The Case for Cooperative Networking. In Proc. of IPTPS, pages 178--190, 2002. Google ScholarDigital Library
- R. Pagh and F. F. Rodler. Cuckoo hashing. In Proc of ESA, pages 121--133, 2001. Google ScholarDigital Library
- D. Peleg. Distributed Computing: A Locality-Sensitive Approach. Society for Industrial and Applied Mathematics, 2000. Google ScholarDigital Library
- E. Ratliff. The Zombie Hunters. In The New Yorker, 2005.Google Scholar
- S. Ratnasamy, P. Francis, M. Handley, R. Karp, and S. Shenker. A Scalable Content-Addressable Network. In Proc. of SIGCOMM, pages 161--172, 2001. Google ScholarDigital Library
- I. Reed and G. Solomon. Polynomial codes over certain finite fields. Journal of the Society of Industrial and Applied Mathematics, 8(2):300--304, 1960.Google ScholarCross Ref
- T. Stading, P. Maniatis, and M. Baker. Peer-to-Peer Caching Schemes to Address Flash Crowds. In Proc. of IPTPS, pages 203--213, 2002. Google ScholarDigital Library
- A. Stavrou, D. Rubenstein, and S. Sahu. A Lightweight, Robust P2P System to Handle Flash Crowds. In Proc. of ICNP, pages 226--235, 2002. Google ScholarDigital Library
- I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana. Internet Indirection Infrastructure. In Proc. of SIGCOMM, 2002. Google ScholarDigital Library
- I. Stoica, R. Morris, D. Liben-Nowell, D. Karger, M. F. Kaashoek, F. Dabek, and H. Kalakrishnan. Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications. In Technical Report MIT, 2002.Google Scholar
- M. Walfish, H. Balakrishnan, D. Karger, and S. Shenker. DoS: Fighting Fire with Fire. In Workshop on Hot Topics in Networks (HotNets), 2005.Google Scholar
- M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker. DDoS Defense By Offense. Proc. of SIGCOMM, 36(4):303--314, 2006. Google ScholarDigital Library
- Wikipedia. Denial-of-service attack. http://en.wikipedia.org/wiki/Denial-of-service_attack, accessed 12-February-2013.Google Scholar
- X. Yang, D. Wetherall, and T. Anderson. A DoS-Limiting Network Architecture. In Proc. of SIGCOMM, pages 241--252, 2005. Google ScholarDigital Library
Index Terms
- IRIS: a robust information system against insider dos-attacks
Recommendations
IRIS: A Robust Information System Against Insider DoS Attacks
Special Issue for SPAA 2013In this work, we present the first scalable distributed information system, that is, a system with low storage overhead, that is provably robust against denial-of-service (DoS) attacks by a current insider. We allow a current insider to have complete ...
A denial-of-service resistant DHT
PODC '07: Proceedings of the twenty-sixth annual ACM symposium on Principles of distributed computingWe consider the problem of designing scalable and robust information systems based on multiple servers that can survive even massive denial-of-service (DoS) attacks. More precisely, we are focusing on designing a scalable distributed hash table (DHT) ...
Dynamic Binary User-Splits to Protect Cloud Servers from DDoS Attacks
ICCC '13: Proceedings of the Second International Conference on Innovative Computing and Cloud ComputingSeveral overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server ...
Comments