killbots - Botz-4-Sale: Surviving Organized DDoS Attacks...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds Srikanth Kandula Dina Katabi Matthias Jacob Arthur Berger MIT Princeton MIT/Akamai { kandula,dina } @csail.mit.edu mjacob@princeton.edu awberger@mit.edu Abstract Recent denial of service attacks are mounted by professionals using Botnets of tens of thousands of compro- mised machines. To circumvent detection, attackers are increas- ingly moving away from bandwidth floods to attacks that mimic the Web browsing behavior of a large number of clients, and tar- get expensive higher-layer resources such as CPU, database and disk bandwidth. The resulting attacks are hard to defend against using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content. We present the design and implementation of Kill-Bots, a kernel extension to protect Web servers against DDoS attacks that masquerade as flash crowds. Kill-Bots provides authentica- tion using graphical tests but is different from other systems that use graphical tests. First, Kill-Bots uses an intermediate stage to identify the IP addresses that ignore the test, and persistently bombard the server with requests despite repeated failures at solving the tests. These machines are bots because their intent is to congest the server. Once these machines are identified, Kill-Bots blocks their requests, turns the graphical tests off, and allows access to legitimate users who are unable or unwilling to solve graphical tests. Second, Kill-Bots sends a test and checks the clients answer without allowing unauthenticated clients ac- cess to sockets, TCBs, and worker processes. Thus, it protects the authentication mechanism from being DDoSed. Third, Kill- Bots combines authentication with admission control. As a re- sult, it improves performance, regardless of whether the server overload is caused by DDoS or a true Flash Crowd. 1 Introduction Denial of service attacks are increasingly mounted by professionals in exchange for money or material bene- fits [35]. Botnets of thousands of compromised machines are rented by the hour on IRC and used to DDoS online businesses to extort money or obtain commercial advan- tages [17, 26, 45]. The DDoS business is thriving; in- creasingly aggressive worms can infect up to 30,000 new machines per day. These zombies/bots are then used for DDoS and other attacks [17, 43]. In particular, [35] re- ports that a Massachusetts businessman paid members of the computer underground to launch organized, crip- pling DDoS attacks against three of his competitors. The attackers used Botnets of more than 10,000 machines. When the simple SYN flood failed, they launched an HTTP flood, downloading many large images from the victim server. At its peak, the onslaught allegedly kept the victim company offline for two weeks. In another in- stance, attackers ran a massive number of queries through the victims search engine, bringing the server down [35]....
View Full Document

This note was uploaded on 12/08/2011 for the course CS 525 taught by Professor Gupta during the Spring '08 term at University of Illinois, Urbana Champaign.

Page1 / 14

killbots - Botz-4-Sale: Surviving Organized DDoS Attacks...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online