Mitigating Botnet-based DDoS Attacks against Web Servers

Djalaliev, Peter (2013) Mitigating Botnet-based DDoS Attacks against Web Servers. Doctoral Dissertation, University of Pittsburgh. (Unpublished)

Preview

PDF Primary Text Download (2MB) | Preview

Abstract

Distributed denial-of-service (DDoS) attacks have become wide-spread on the Internet. They continuously target retail merchants, financial companies and government institutions, disrupting the availability of their online resources and causing millions of dollars of financial losses. Software vulnerabilities and proliferation of malware have helped create a class of application-level DDoS attacks using networks of compromised hosts (botnets). In a botnet-based DDoS attack, an attacker orders large numbers of bots to send seemingly regular HTTP and HTTPS requests to a web server, so as to deplete the server's CPU, disk, or memory capacity.

Researchers have proposed client authentication mechanisms, such as CAPTCHA puzzles, to distinguish bot traffic from legitimate client activity and discard bot-originated packets. However, CAPTCHA authentication is vulnerable to denial-of-service and artificial intelligence attacks. This dissertation proposes that clients instead use hardware tokens to authenticate in a federated authentication environment. The federated authentication solution must resist both man-in-the-middle and denial-of-service attacks. The proposed system architecture uses the Kerberos protocol to satisfy both requirements. This work proposes novel extensions to Kerberos to make it more suitable for generic web authentication.

A server could verify client credentials and blacklist repeated offenders. Traffic from blacklisted clients, however, still traverses the server's network stack and consumes server resources. This work proposes Sentinel, a dedicated front-end network device that intercepts server-bound traffic, verifies authentication credentials and filters blacklisted traffic before it reaches the server. Using a front-end device also allows transparently deploying hardware acceleration using network co-processors. Network co-processors can discard blacklisted traffic at the hardware level before it wastes front-end host resources.

We implement the proposed system architecture by integrating existing software applications and libraries. We validate the system implementation by evaluating its performance under DDoS attacks consisting of floods of HTTP and HTTPS requests.

---

Share

Citation/Export:	Select format... Citation - Text Citation - HTML Endnote BibTex Dublin Core OpenURL MARC (ISO 2709) METS MODS EP3 XML Reference Manager Refer
Social Networking:	Share |

---

Details

Item Type:	University of Pittsburgh ETD
Status:	Unpublished
Creators/Authors:	Creators Email Pitt Username ORCID Djalaliev, Peter peter.djalaliev@gmail.com
ETD Committee:	Title Member Email Address Pitt Username ORCID Thesis Advisor Lee, Adam J. adamlee@cs.pitt.edu ADAMLEE Committee Member Zhang, Youtao zhangyt@cs.pitt.edu YOUTAO Committee Member Mossé, Daniel mosse@cs.pitt.edu MOSSE Committee Member Krishnamurthy, Prashant prashant@mail.sis.pitt.edu PRASHK
Date:	1 October 2013
Date Type:	Publication
Defense Date:	15 July 2013
Approval Date:	1 October 2013
Submission Date:	16 August 2013
Access Restriction:	No restriction; Release the ETD for access worldwide immediately.
Number of Pages:	140
Institution:	University of Pittsburgh
Schools and Programs:	Dietrich School of Arts and Sciences > Computer Science
Degree:	PhD - Doctor of Philosophy
Thesis Type:	Doctoral Dissertation
Refereed:	Yes
Uncontrolled Keywords:	DDoS, botnets, hardware tokens, federated authentication, Kerberos, RSA SecurID
Date Deposited:	01 Oct 2013 14:02
Last Modified:	15 Nov 2016 14:14
URI:	http://d-scholarship.pitt.edu/id/eprint/19676

---

Metrics

Monthly Views for the past 3 years

Plum Analytics

---

Actions (login required)

View Item