• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文会议>IEEE Symposium on Reliable Distributed Systems >A Client-Transparent Approach to Defend Against Denial of Service Attacks
【24h】

A Client-Transparent Approach to Defend Against Denial of Service Attacks

机译:客户透明的方法来防御拒绝服务攻击

获取原文
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Denial of Service (DoS) attacks attempt to consume a server's resources (network bandwidth, computing power, main memory, disk bandwidth etc) to near exhaustion so that there are no resources left to handle requests from legitimate clients. An effective solution to defend against DoS attacks is to filter DoS attack requests at the earliest point (say, the web site's firewall), before they consume much of the server's resources. Most defenses against DoS attacks attempt to filter requests from inauthentic clients before they consume much of the server's resources. Client authentication using techniques like IPSec or SSL may often require changes to the client-side software and may additionally require superuser privileges at the client for deployment. Further, using digital signatures (as in SSL) makes verification very expensive, thereby making the verification process itself a viable DoS target for the adversary. In this paper, we propose a light-weight client transparent technique to defend against DoS attacks with two unique features: (i) Our technique can be implemented entirely using JavaScript support provided by a standard client-side browser like Mozilla FireFox or Microsoft Internet Explorer. Client transparency follows from the fact that: (i) no changes to client-side software are required, (ii) no client-side superuser privileges are required, and (iii) clients (human beings or automated clients) can browse a DoS protected website in the same manner that they browse other websites. (ii) Although we operate using the client-side browser (HTTP layer), our technique enables fast IP level packet filtering at the server's firewall and requires no changes to the application(s) hosted by the web server. In this paper we present a detailed design of our technique along with a detailed security analysis. We also describe a concrete implementation of our proposal on the Linux kernel and present an evaluation using two applications: bandwidth intensive Apache HTTPD and database intensive TPCW. Our experiments show that our approach incurs a low performance over-head and is resilient to DoS attacks.
机译:拒绝服务(DOS)攻击尝试消耗服务器的资源(网络带宽,计算电源,主内存,磁盘带宽等)到近耗尽,以便没有剩余资源来处理合法客户端的请求。在他们消耗大部分服务器的资源之前,将在最早点过滤DOS攻击攻击的有效解决方案是过滤DOS攻击请求(例如,网站的防火墙)。对DOS攻击的大多数防御都尝试在消耗大部分服务器资源之前过滤来自Inaututic客户端的请求。使用IPSec或SSL等技术的客户端认证可能通常需要更改客户端软件,并且可以在客户端上需要超级用户权限进行部署。此外,使用数字签名(如在SSL中)使验证非常昂贵,从而使验证过程本身成为对手的可行性DOS靶标。在本文中,我们提出了一种轻量级客户端透明技术来防御DOS攻击,具有两个独特的功能:(i)我们的技术可以完全使用由Mozilla Firefox或Microsoft Internet Explorer等标准客户端浏览器提供的JavaScript支持来实现。客户端透明度从以下情况下遵循:(i)不需要对客户端软件的更改,(ii)不需要客户端超级用户权限,(iii)客户端(人类或自动化客户端)可以浏览受保护的DOS网站以同样的方式浏览其他网站。 (ii)虽然我们使用客户端浏览器(HTTP层)操作,但我们的技术在服务器的防火墙上启用快速IP级别数据包过滤,并且不需要更改Web服务器托管的应用程序。在本文中,我们提供了我们技术的详细设计以及详细的安全分析。我们还描述了我们在Linux内核上提案的具体实施,并使用两个应用提供评估:带宽密集型Apache Httpd和数据库密集型TPCW。我们的实验表明,我们的方法会引发低性能超过头部,并且对DOS攻击具有弹性。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号