NSDI '05 Abstract
Awarded Best Student Paper!
Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds
Srikanth Kandula and Dina Katabi, Massachusetts Institute of Technology;
Matthias Jacob, Princeton University; Arthur Berger, Massachusetts Institute of
Recent denial of service attacks are mounted by professionals
using Botnets of tens of thousands of compromised machines. To
circumvent detection, attackers are increasingly moving away from
bandwidth floods to attacks that mimic the Web browsing behavior of a
large number of clients, and target expensive higher-layer resources
such as CPU, database and disk bandwidth. The resulting attacks are
hard to defend against using standard techniques, as the malicious
requests differ from the legitimate ones in intent but not in content.
We present the design and implementation of Kill-Bots, a kernel
extension to protect Web servers against DDoS attacks that masquerade
as flash crowds. Kill-Bots provides authentication using graphical
tests but is different from other systems that use graphical tests.
First, Kill-Bots uses an intermediate stage to identify the IP
addresses that ignore the test, and persistently bombard the server
with requests despite repeated failures at solving the tests. These
machines are bots because their intent is to congest the server. Once
these machines are identified, Kill-Bots blocks their requests, turns
the graphical tests off, and allows access to legitimate users who are
unable or unwilling to solve graphical tests. Second, Kill-Bots sends
a test and checks the client's answer without allowing unauthenticated
clients access to sockets, TCBs, and worker processes. Thus, it
protects the authentication mechanism from being DDoSed. Third,
Kill-Bots combines authentication with admission control. As a result,
it improves performance, regardless of whether the server overload is
caused by DDoS or a true Flash Crowd.
- View the full text of this paper in HTML and PDF.
Until May 2005, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2005 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.