WDA: A Web farm distributed denial of service attack attenuator

Ehud Doron*, Avishai Wool

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

Distributed Denial Of Service (DDoS) attacks are familiar threats to Internet users for more than 10 years. Such attacks are carried out by a "bot-net", an army of zombie hosts spread around the Internet, that overwhelm the bandwidth toward their victim Web server, by sending traffic upon command. This paper introduces WDA, a novel architecture to attenuate the DDoS attacker's bandwidth. WDA is especially designed to protect Web farms. WDA is asymmetric and only monitors and protects the uplink toward the Web farm, which is the typical bottleneck in DDoS attacks. Legitimate traffic toward Web farms is very distinctive since it is produced by humans using Web-browsing software. Specifically, such upload traffic has low volume, and more importantly, has long off times that correspond to human view time. WDA utilizes these properties of legitimate client traffic to distinguish it from attack traffic, which tends to be continuous and heavy. A key feature of WDA is in its use of randomized thresholds that trap and penalize deterministic zombie traffic that tries to mimic human client patterns. WDA's heart is WDAQ, a novel active queue management mechanism aimed to prefer legitimate client traffic over attacker traffic. With WDA installed, the attacker traffic toward the victim is attenuated. Extensive simulation results show that WDA can defeat simple flooding attacks, and can attenuate the bandwidth usable by sophisticated WDA-aware attacks by orders of magnitude. As a consequence, the attacker must increase his "bot-net" size by the same factor, to compensate for the effects of WDA. Our simulations show that WDA can defend a typical Web farm from DDoS attacks launched by hundreds of thousands zombies, while keeping legitimate clients' service degradation under 10%.

Original languageEnglish
Pages (from-to)1037-1051
Number of pages15
JournalComputer Networks
Volume55
Issue number5
DOIs
StatePublished - 1 Apr 2011

Keywords

  • Distributed Denial Of Service
  • Network security

Fingerprint

Dive into the research topics of 'WDA: A Web farm distributed denial of service attack attenuator'. Together they form a unique fingerprint.

Cite this