Distributed denial-of-service (DDoS) attacks have become wide-spread on the Internet. They continuously target retail merchants, financial companies and government institutions, disrupting the availability of their online resources and causing millions of dollars of financial losses. Software vulnerabilities and proliferation of malware have helped create a class of application-level DDoS attacks using networks of compromised hosts (botnets). In a botnet-based DDoS attack, an attacker orders large numbers of bots to send seemingly regular HTTP and HTTPS requests to a web server, so as to deplete the server's CPU, disk, or memory capacity.ududResearchers have proposed client authentication mechanisms, such as CAPTCHA puzzles, to distinguish bot traffic from legitimate client activity and discard bot-originated packets. However, CAPTCHA authentication is vulnerable to denial-of-service and artificial intelligence attacks. This dissertation proposes that clients instead use hardware tokens to authenticate in a federated authentication environment. The federated authentication solution must resist both man-in-the-middle and denial-of-service attacks. The proposed system architecture uses the Kerberos protocol to satisfy both requirements. This work proposes novel extensions to Kerberos to make it more suitable for generic web authentication.ududA server could verify client credentials and blacklist repeated offenders. Traffic from blacklisted clients, however, still traverses the server's network stack and consumes server resources. This work proposes Sentinel, a dedicated front-end network device that intercepts server-bound traffic, verifies authentication credentials and filters blacklisted traffic before it reaches the server. Using a front-end device also allows transparently deploying hardware acceleration using network co-processors. Network co-processors can discard blacklisted traffic at the hardware level before it wastes front-end host resources.ududWe implement the proposed system architecture by integrating existing software applications and libraries. We validate the system implementation by evaluating its performance under DDoS attacks consisting of floods of HTTP and HTTPS requests.
展开▼
机译:分布式拒绝服务(DDoS)攻击已在Internet上广泛传播。他们不断瞄准零售商人,金融公司和政府机构,破坏了其在线资源的可用性,并造成数百万美元的财务损失。软件漏洞和恶意软件扩散已帮助使用受感染主机(僵尸网络)的网络创建了一类应用程序级DDoS攻击。在基于僵尸网络的DDoS攻击中,攻击者命令大量僵尸程序将看似常规的HTTP和HTTPS请求发送到Web服务器,以耗尽服务器的CPU,磁盘或内存容量。 ud ud研究人员已提出客户端身份验证验证码谜题等机制,以区分漫游器流量与合法的客户端活动,并丢弃漫游器起源的数据包。但是,CAPTCHA身份验证容易受到拒绝服务和人工智能攻击。本文提出,客户端应使用硬件令牌在联合身份验证环境中进行身份验证。联合身份验证解决方案必须抵御中间人攻击和拒绝服务攻击。提出的系统体系结构使用Kerberos协议来满足这两个要求。这项工作提出了对Kerberos的新颖扩展,使其更适合于通用的Web身份验证。 ud ud服务器可以验证客户端凭据并将重复违规者列入黑名单。但是,来自列入黑名单的客户端的流量仍会遍历服务器的网络堆栈并消耗服务器资源。这项工作提出了Sentinel,这是一种专用的前端网络设备,它可以拦截与服务器绑定的流量,验证身份验证凭据并在黑名单流量到达服务器之前对其进行过滤。使用前端设备还可以使用网络协处理器透明地部署硬件加速。网络协处理器可以在浪费前端主机资源之前在硬件级别丢弃列入黑名单的流量。 ud ud我们通过集成现有的软件应用程序和库来实现建议的系统体系结构。我们通过评估在HTTP和HTTPS请求泛滥的DDoS攻击下的性能来验证系统实现。
展开▼
